Jul 09 2017 11:30 AM
Hello
Can someone please help me with the following question.
I have setup a point-to-site VPN (I should mention I have been dealing with X509 certificates for years)
background
I created my own Root CA (Windows 2012 R2 Domain Joined) and uploaded the CA certificate to Azure when creating point-to-site VPN e.g. "Point to site configuration" > "Root Certificates" > "Public certificate data" and it saved OK
I then created a client cetificate for my Windows 10 PC from this CA (I created a certificate with the EKU of Client Authentication and Server Authentication), I do not believe I need to Server Authentication EKU but it is there in any event.
I installed the client certiciate in my Windows 10 PC, made certain it links to its private key OK, and chains up OK to the issuing CA (e.g. my Root CA) so all OK so far
The subject name of the client certificate is the same as the hostname (e.g. when you go into cmd and type hostname) of my Windows 10 PC
I installed the client certificate in both the LocalMachine\My (aka personal) and CurrentUser\My (aka personal) stores
I download the VPN client x64
when I try to connect I receive the following error
"the message received was unexpected ot badly formatted"
I found a Microsoft post which stated this error was due to the following cause
"This problem occurs if the root certificate public key is not uploaded into Microsoft Azure VPN gateway or the key is corrupted or expired."
it said the solution was to
"To resolve this problem, check the status of the root certificate in Azure portal to see whether it has been revoked. If it is not revoked, try to delete the root certificate and reupload. For more information, see Create certificates."
I opened the link 'create certificates' above and under section 3.0
3. On the Certificates blade, click Upload to open the Upload certificate blade.
![Upload certificates blade](./media/vpn-gateway-howto-point-to-site-classic-azure-portal/uploadcerts.png)<br>
The problem I have is
I simply do not see the options listed above e.g. how do I get to VPN connections ?
When I go to Point-To-Site Configuration all I get is the following
Save, Discard, Download VPN Client
I simply cannot see how to get to the 'Upload Certificate' GUI element they refer to above, (although I already uploaded up Root cert as mentioned above. Therefore how can I check my Root CA cert I uploaded etc?
Thanks All
Jul 10 2017 11:45 PM
SolutionHello AUser
Looking at the issue you described it occurs me the VPN client may not be able to access the CDP (certificate revocation distribution point) location (LDAP, CIFS, HTTP) as specified in the CDP extension of the client certificate. Therefore when the client is validating the certificate e.g. building the certificate chain (which you said it can do), then checking the integrity of the chain it will fail this second element (sometimes performed together) if it cannot reach any of the locations as specified in the CDP (or the Automotive Information Access extension if using OCSP for revocation checking). Therefore bottom line if using a certificate issued by a CA, then on the computer with the VPN client installed, use the following command to verify access to CRL
certutil -f -urlfetch –verify If all the locations in the CDP (LDAP, CIFS, HTTP) fails then resolve this first
Please let me know if this fixes your problem,
Ernest Brant
Jul 11 2017 12:59 PM
Hello Ernest
I tried your suggestion (by changing the cert so the CDP locations can be reached) and now all works perfectly
Thanks
Apr 08 2018 10:38 PM
Please visit my blog for a detailed step-by-step approach on how to set up the P2S connection. I hope you will find it useful.
https://shaonztechnet.wordpress.com/2018/04/09/setting-up-a-point-to-site-connection-in-azure/
Jul 10 2017 11:45 PM
SolutionHello AUser
Looking at the issue you described it occurs me the VPN client may not be able to access the CDP (certificate revocation distribution point) location (LDAP, CIFS, HTTP) as specified in the CDP extension of the client certificate. Therefore when the client is validating the certificate e.g. building the certificate chain (which you said it can do), then checking the integrity of the chain it will fail this second element (sometimes performed together) if it cannot reach any of the locations as specified in the CDP (or the Automotive Information Access extension if using OCSP for revocation checking). Therefore bottom line if using a certificate issued by a CA, then on the computer with the VPN client installed, use the following command to verify access to CRL
certutil -f -urlfetch –verify If all the locations in the CDP (LDAP, CIFS, HTTP) fails then resolve this first
Please let me know if this fixes your problem,
Ernest Brant