Creates a new VPN client root certificate.


   -Name <String>
   -PublicCertData <String>
   [-DefaultProfile <IAzureContextContainer>]


The New-AzureRmVpnClientRootCertificate cmdlet creates a new VPN root certificate for use on a virtual network gateway. Root certificates are X.509 certificates that identify your Root Certification Authority: all other certificates used on the gateway trust the root certificate.

This cmdlet creates a stand-alone certificate that is not assigned to a virtual gateway. Instead, the certificate created by New-AzureRmVpnClientRootCertificate is used in conjunction with the New-AzureRmVirtualNetworkGateway cmdlet when creating a new gateway. For example, suppose you create a new certificate and store it in a variable named $Certificate. You can then use that certificate object when creating a new virtual gateway. For instance,

New-AzureRmVirtualNetworkGateway -Name "ContosoVirtualGateway" -ResourceGroupName "ContosoResourceGroup" -Location "West US" -GatewayType "VPN" -IpConfigurations $Ipconfig -VPNType "RouteBased" -VpnClientRootCertificates $Certificate

For more information, see the documentation for the New-AzureRmVirtualNetworkGateway cmdlet.


Example 1: Create aclient root certificate

PS C:\> $Text = Get-Content -Path "C:\Azure\Certificates\ExportedCertficate.cer"
PS C:\> $CertificateText = for ($i=1; $i -lt $Text.Length -1 ; $i++){$Text[$i]}
PS C:\> $Certificate = New-AzureRmVpnClientRootCertificate -PublicCertData $CertificateText -Name "ContosoClientRootCertificate"

This example creates a client root certificate and store the certificate object in a variable named $Certificate. This variable can then be used by the New-AzureRmVirtualNetworkGateway cmdlet to add a root certificate to a new virtual network gateway.

The first command uses the Get-Content cmdlet to get a previously exported text representation of the root certificate; that text data is stored in a variable named $Text.

The second command then uses a for loop to extract all the text except for the first line and the last line, storing the extracted text in a variable named $CertificateText.

The third command uses the New-AzureRmVpnClientRootCertificate cmdlet to create the certificate, storing the created object in a variable named $Certificate.

Required Parameters


Specifies a name for the new client root certificate.

Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies a text representation of the root certificate to be added. To obtain the text representation, export your certificate in .cer format (using Base64 encoding), then open the resulting file in a text editor. You should see output similar to this (note that the actual output will contain many more lines of text than the abbreviated sample shown here):

----- BEGIN CERTIFICATE ----- MIIC13FAAXC3671Auij9HHgUNEW8343NMJklo09982CVVFAw8w ----- END CERTIFICATE -----

The PublicCertData is made up of all the lines between the first line (----- BEGIN CERTIFICATE -----) and the last line (----- END CERTIFICATE -----) in the file. You can retrieve the PublicCertData by using Windows PowerShell commands similar to this:

$Text = Get-Content -Path "C:\Azure\Certificates\ExportedCertficate.cer" $CertificateText = for ($i=1; $i -lt $Text.Length -1 ; $i++){$Text[$i]}

Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Optional Parameters


The credentials, account, tenant, and subscription used for communication with azure.

Aliases:AzureRmContext, AzureCredential
Default value:None
Accept pipeline input:False
Accept wildcard characters:False


This cmdlet does not accept pipelined input.


This cmdlet creates new instances of the Microsoft.Azure.Commands.Network.Models.PSVpnClientRootCertificate object.