A corporate VPN is essential to a business. It’s a virtual and private network suitable for remote resource sharing, alongside top-notch security. A VPN (a virtual private network) helps establish tunnels for encrypted communication with the help of security protocols. But what makes corporate ones reliable is the authentication process. Sure, the individual vendors that offer VPN services also ensure it. But when faced with multifactor authentication methods, a simple username/password-based access seems dull. To clarify, business VPNs use certificates to ensure their external safety. But sometimes, it is this very same certificate that causes errors. Today, you will learn how to fix a “certificate could not be found” VPN error.
Guide to fix the “certificate could not be found” VPN error
A VPN certificate is a digitally signed document that carries information regarding access to a network. When two VPN gateways communicate to allow/ask for permission, they use the pre-installed certificated to authenticate each other before commencing the transfer of resources. Thus, it is crucial to VPN operations. But sometimes, a network or a VPN client misplaces it. This can happen due to faulty installation or directly due to a defective certificate, which is the core issue behind such errors. A certificate that is corrupted or expired won’t be welcome for communication. Hence, the resulting infrastructure or the central server automatically handles such problems by having the CA (certificate authority) issue new ones.
But seldom does a VPN certificate get overlooked due to poor configuration or lacking infrastructure. Which later on results in an error. When you see the “a VPN certificate is not found” error, it doesn’t mean it is missing but that it’s unusable. Thus, the base solution is to generate/create and export/use another certificate in its place. Now, one would think that issuing an exclusive one may be a tedious process, but it’s not. You do not have to rely on a third-party CA for your VPN certificate, as you can always s generate and export a self-signed one. That brings us to solutions to the “certificate that could not be found” VPN error.
Solution 1: Generate and export a self-signed root certificate using PowerShell
The first method, described here, uses PowerShell to generate and export a self-signed certificate to resolve the error. However, users need to pay attention as it can be on the advanced technical side and need working knowledge on certificates to employ. But we have tried our best to simplify the following steps.
Note — PowerShell cmdlets work only on Windows 10 or Windows Server 16. Although, you can use the generated cert on any supported client operating system. If you do not have access to PowerShell, use an alternative, MakeCert, for certificate generation.
Creating a self-signed certificate
First, use your Windows device to run a Windows PowerShell console with added privileges. Then:
- Use this command to create a self-signed root certificate:
- $cert = New-SelfSignedCertificate
- -Type Custom -KeySpec Signature
-Subject "CN=P2SRootCert"-KeyExportPolicy Exportable- -HashAlgorithm sha256 -KeyLength 2048
- -CertStoreLocation “Cert:\CurrentUser\My”
- -KeyUsageProperty Sign -KeyUsage CertSign
- Now, it will automatically create a certificate named “P2SRootCert” on execution.
- Then the system will detect it and automatically install it in this location for users to view:
- Certificates-Current User\Personal\Certificates
- Leave the PowerShell console open and proceed with client certificate generation.
Generating client certificate
Every client operating system that connects to the network needs a certificate for authentication. However, a self-signed cert is not enough. One has to generate a client cert based on the self-signed certificate and export it to the client. There are two methods to make a client certificate:
- If the PowerShell console is open, you can directly enter the following command and continue:
- New-SelfSignedCertificate
- -Type Custom
- -DnsName P2SChildCert
- -KeySpec Signature
-Subject "CN=P2SNameYourCert"-KeyExportPolicy Exportable- -HashAlgorithm sha256
- -KeyLength 2048
-CertStoreLocation "Cert:\CurrentUser\My"- -Signer $cert
- -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)
- Note. If the PowerShell console is closed, open a new session first.
- You can use the same self-signed cert to generate multiple client certificates. Open the PowerShell console and identify the self-signed root cert by entering:
- Get-ChildItem -Path “Cert:\CurrentUser\My”
- It will now list all the available certs on your PC.
- Now, locate the self-signed certificate and copy its Thumbprint.
- Then paste the Thumbprint to a text file.
- Now in PowerShell, replace the Thumbprint of your new cert with the self-signed ones.
- $cert = Get-ChildItem -Path “Cert:\CurrentUser\My\<THUMBPRINT>”
- $cert = Get-ChildItem -Path “Cert:\CurrentUser\My\7181AA8C1B4………”
- The automatically installed certificate is ready to be exported once you run this command:
- New-SelfSignedCertificate
- -Type Custom
- -DnsName P2SChildCert
- -KeySpec Signature
-Subject "CN=P2SChildCert"-KeyExportPolicy Exportable- -HashAlgorithm sha256
- -KeyLength 2048
-CertStoreLocation "Cert:\CurrentUser\My"- -Signer $cert
- -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)
Exporting the cert public key (.cer)
First, open the manage user certificate via PowerShell. Now:
- Locate the self-signed certificate after you generated it for the client OS.
- Right-click on the file and click on All Tasks.
- Now select Export to launch the Wizard.
- After that, click on Next.
- Then select the “No, do not export the private key” option.
- After that, on the Export File Format page, select Base-64 encoded X.509 (.CER).
- Now, locate the certificate you want to export and click Finish.
Solution 2: Manually export the private key if a certificate is available
Now that you have exported the public key, export the private key. In this solution, we will assume that a certificate is already installed as per the previous guide and then carry forward with our method.
- First, go to the Start menu and click on Run.
- You can also press the Windows key + R.
- Then type certmgr.msc in the box to open Certificate Manager.
- Now, go to your store and then click on certificate.
- Here you can find all the available certificates currently installed on your device.
- Now right-click on the client cert to export it.
- Once the Wizard boosts up, continue clicking Next.
- Then click on “Yes, export the Private key.”
- Although you can customize some options, we recommend leaving things as default and continuing.
- After that, the device will need authentication. Enter your password.
- Now the export will begin.
- Continue exporting all the necessary certs.
- Locate your certificates and initiate installations.
- Remember to select “Current user” as the default location.
Solution 3: Install a VPN certificate to fix a “certificate not found” error
Sometimes the cause behind this error isn’t as severe as one expects. In some cases, chances are that the certificate is installed correctly but is not available at a particular location: “Certificates – Current User\Personal\Certificates”. If your certificate is missing from here, the VPN won’t work. Thankfully, it is easy to fix a “certificate not found” error for a VPN in this case. All you have to do is manually install it to the correct folder like this:
- Go to the Start menu and click on Run.
- Then enter certmgr.msc to open the certificate manager.
- You can also use the search box in the Start menu and type manage computer certificates.
- Now locate the self-signed/third party public key and the corresponding private key for the client certificate.
- Then note down their locations and go to “C:\Users<UserName>\App Data\Roaming\Microsoft \Network\Connections\Cm<GUID>”
- Use the certificate manager to manually install those certs at the above-mentioned location.