Install client certificates for P2S certificate authentication connections

All clients that connect to a virtual network using Point-to-Site Azure certificate authentication require a client certificate. This article helps you install a client certificate that is used for authentication when connecting to a VNet using P2S.

Acquire a client certificate

No matter what client operating system you want to connect from, you must always have a client certificate. You can generate a client certificate from either a root certificate that was generated using an Enterprise CA solution, or a self-signed root certificate. See the PowerShell, MakeCert, or Linux instructions for steps to generate a client certificate.


If you want to create a P2S connection from a client computer other than the one you used to generate the client certificates, you need to install a client certificate. When installing a client certificate, you need the password that was created when the client certificate was exported.

  1. Locate and copy the .pfx file to the client computer. On the client computer, double-click the .pfx file to install. Leave the Store Location as Current User, and then select Next.
  2. On the File to import page, don't make any changes. Select Next.
  3. On the Private key protection page, input the password for the certificate, or verify that the security principal is correct, then select Next.
  4. On the Certificate Store page, leave the default location, and then select Next.
  5. Select Finish. On the Security Warning for the certificate installation, select Yes. You can comfortably select 'Yes' for this security warning because you generated the certificate.
  6. The certificate is now successfully imported.



Mac VPN clients are supported for the Resource Manager deployment model only. They are not supported for the classic deployment model.

When installing a client certificate, you need the password that was created when the client certificate was exported.

  1. Locate the .pfx certificate file and copy it to your Mac. You can get the certificate to the Mac in several ways, for example, you can email the certificate file.

  2. After the certificate copied to the Mac, double-click the certificate to open the Add Certificates box, the click Add to begin the install.

    Add certificates

  3. Enter the password that you created when the client certificate was exported. The password protects the private key of the certificate. Click OK to complete the installation.

    Screenshot shows a dialog box that prompts you for a password.


The Linux client certificate is installed on the client as part of the client configuration. See Client configuration - Linux for instructions.

Next steps

Continue with the Point-to-Site configuration steps to Create and install VPN client configuration files.