VPN Wired

Your Online Security Advisor

Nord_W

How to Renew an Azure VPN certificate

Azure VPN Certificate Renewal

VPNs are essential to the security infrastructure of a corporate network that handles remote working. It also encrypts resource sharing and prevents third parties from illegally accessing internal resources. The technology does so by utilizing VPN tunnels that run on security protocols. However, another aspect of a corporate VPN is undisputedly the authentication. It adopts multifactor authentication for a failsafe approach to external threats. But this cross gateway authentication relies heavily on VPN certificates. Hence, in case of a certificate expiry, it must get restored. Azure is a reputed client and VPN provider, so let us show you how to renew your VPN certificate.

Overview of renewing an Azure VPN certificate

Although Azure works flawlessly for the betterment of your network infrastructure, it is at its core a VPN that employs multiple certificates under a distinct CA (Certificate Authority) to operate without pause. However, sometimes a minute carelessness can cause irreversible damage to the network. That’s why the maintenance team keeps an eye out for any expiring certificate and if there are sufficient extra certs (certificates) available for a quick renewal.

You do not lengthen the “digital lifespan” of a certificate, as it is pre-determined at the time of creation and generation. Thus, a renewal generally means exchanging an expired certificate with a new one already stored on the device. There are numerous methods to renew your Azure VPN certificate. Under the impression that each client and VPN module is different from others, we have also included a set of generic instructions. However, further down the article, we have specific methods to renew your Azure certificates.

General instructions for Azure certificate renewal

You can renew your certificate with an internal CA. All you need to do is:

  1. First, open the VPN UI (user interface) and head to settings.
  2. After that, select Network objects.
  3. Now, on the new menu, select the VPN module with the certificate.
  4. Then, go to the VPN and try to select the expired cert in the Certificate List section.
  5. Now try to remove the expired cert directly.
  6. If it works, then great if not, you can see an error such as “The VPN certificate is used in IKE authentication, before deleting, please define an alternative.”
  7. After you get the error, proceed as follows:
    1. First, note down the cert details (DN)
    2. Then select “Traditional mode configuration.”
    3. Now look for Public Key Signatures and uncheck it.
    4. Deleting will work now.
  8. Thus, go to the expired cert and delete it. A new certificate will be generated automatically. Hence, you have renewed the VPN certificate.

Azure stores certificates at two locations

Azure keeps relevant certificates at two file paths to facilitate TLS/SSL communication. These locations are respectively, the Azure key vault and the application gateway. Hence, both are interconnected to one another.

Certificates at Azure key vault

The application gateway relies on the key vault for the renewing of certificates. When it is configured, it uses the vault for retrieving VPN certificates and subsequently installing them locally for TLS termination. It also polls the key vault for a regular retrieval of renewed certificates. If there is none, the applications will cease to work.

Certificates at Azure application gateway

On the other hand, the application gateway doesn’t force the key vault into configurations. It supports the certificates independently after retrieval. To renew certificates from both the locations, we can rely on either one of the followings:

Renewing Azure certificates through a portal

You can go to your Azure client and open the portal to manage your certificates.

  1. First, run the Azure portal and head to the Dashboard.
  2. Then, head to the application gateway listener, and select the listener with a certificate that needs renewal.
  3. Now scroll down, and select the certificate. Then select the checklist that reads Renew or edit the selected certificate.
  4. Upload the new PFX certificate and give it a name.
  5. Type the password and click on Save.

Renew Azure VPN certificate via PowerShell

Use the following steps to renew your Azure via PowerShell:

  1. First, run the PowerShell cmdlets.
  2. Then, enter the following command to renew the certificate:
    • $appgw = Get-AzApplicationGateway
      • -ResourceGroupName <ResourceGroup>
      • -Name <AppGatewayName>
    • $password = ConvertTo-SecureString
      • -String "<password>"
      • -Force `
      • -AsPlainText
    • set-AzApplicationGatewaySSLCertificate
    • -Name <oldcertname> `
    • -ApplicationGateway $appgw
    • -CertificateFile <newcertPath>
    • -Password $password
    • Set-AzApplicationGateway -ApplicationGateway $appgw

Refresh Azure certificates via CLI (Command Line Interface)

Similarly, you can renew Azure VPN certificate via CLI using the following command:

  1. Run the CLI.
  2. Then, enter the following:
    • az network application-gateway ssl-cert update \
    • -n “<CertName>” \
    • –gateway-name “<AppGatewayName>” \
    • -g “ResourceGroupName>” \
    • –cert-file <PathToCerFile> \
    • –cert-password “<password>”

Resume use of VPN certificates via Microsoft Certificate Authority

Microsoft CA also renews certificates for Azure. Here are a few key points that state the favorability of MCA:

  • As a certificate renewal interface, it drastically reduces the time required to renew an expired certificate.
  • Since the certificate renewal differs for every provider, MCA can help with the process.
  • MCA automates the process as it is one of the best solutions to counteract the expiration of certificates.

General instructions under MCA

The exact method for certificate renewal varies according to the provider subscribed, but there are a set of procedures under Microsoft CA that can simplify the process.

  1. First, use the Microsoft CA to generate a new CSR (Certificate Service Request)
  2. Then your vendor will provide you with the CSR code. You need to keep it at hand as it will be required at a later step.
  3. Now generate a new certificate and activate it with your old CSR code.
  4. Then validate it using one of these methods:
    1. Email validation
    2. HTTP validation
    3. DNS validation
  5. Install the certificate on your device.

Renewing with Microsoft AD CS

One of Microsoft’s biggest advantages is AD CS. It is an effective solution to certificate expiry that automates the whole process. Certificate auto-enrollment was first unveiled in Windows 2000, and it has since then been greatly enhanced. As a result, Windows 10 and Windows Server 2016 support the capability to renew certificates automatically.

Microsoft allows certificate auto-enrollment alongside GPO (group policy objects). Thus, the device will automatically queue for a new certificate before the current one expires. However, it can only be done with GPO and AD CS. If your device doesn’t support them, you will have to rely on the SecureW2 software, as it can integrate with any MDM and post out renewal policies.

Resume your Azure VPN certificate use with SecureW2

SecureW2 certificate templates are configurable. Thus, these certificates remain valid for years. A primary example is a university, where you can set up a group of policies that remain unchanged all those years.