Saturday, October 08, 2016

Azure VPN Client: A certificate chain processed, but terminated in a root certificate Issue after Windows 10 Upgrade

Symptom,

I have upgraded my Windows OS to Windows 10 Anniversary edition recently and right after doing that I started to get the following error when connecting to the VPN. I have downloaded the same VPN client.

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Yes, we know your certs were going fine until a moment ago and I am not sure why I get myself in to this situation, but you should be able to fix this in a matter of 1/2 hr or less.

Fix or Workaround

I was able to get around this issue by simply re-generating the root certificate and then generating a client certificate. Then exporting the full public and private key pair files to Azure portal for your private network.

After you do so you can have the portal re-gen the VPN client software, then you can download and install.

You can follow the Self Signed Certificate Steps on the Azure web site to generate the Root and also Client certificates.

Some Point to Note: You will have to deal with two and half certificates:

1. The Root certificate.
1.5 The public part of the root certificate, which you will upload to Azure. Actually you can paste the hex number part of the cert directly in to the Azure console.
2. The Client certificate that you derive from the root certificate. This does not get uploaded to Azure but this has to be given to each user, if needed generate one per user if you are sensitive to revoking people individually (i.e., off-boarding an employee).

Do Not Go Down These Paths


  • There is no need to discard the original certificate pair you have uploaded. You can simply upload your new certificate. This may break other VPN users who are relying on current certificates. Both certificates are good.
  • More importantly, there is no need to re-do the private network.
  • You can use both Classic and Resource Manager model, so use the model that you are familiar with. It is all about uploading the proper certificates.
  • Do not do "extract the cert using RAR" stuff. The self-signed root certificates are just not right for your situation so extracting and manually installing them won't do a jack.


Post a Comment