Share via

Azure Virtual Network Gateway stubbornly keeps cached expired root certificate and won't let me update it.

Alejandro Sosa 26 Reputation points
2025-04-11T19:34:27.28+00:00

The root certificate for my Point-to-site configuration of the Azure VPN Gateway was about to expire (with the child client certificates I've signed with it already having expired), so I needed to replace it with a new one.

After generating the new cert, with a different CN, and new Key, I deployed it using the Azure portal.

To my surprise, the client (OpenVPN GUI) refused to connect, when I tried my newly generated .ovpn file with the new CA cert (same I just deployed to Azure) and its client certificate (also newly generated and signed with the new root cert).

In troubleshooting, I decided to re-download the configuration file that Azure generates ("Download VPN client"), only to discover that the OLD certificate is still included in it.

Since then I've done everything I can think of, from deleting the old certificate, adding it to the "revoked certificates", even deleting the entire P2S section and reconfiguring it from scratch. The old certificate is still being presented when I try to download teh config file, which makes me think that it is still cached somewhere, and that's why my client can't successfully connect.

I cannot completely delete the VPN Gateway, because the Site-to-site portion is working and being used in a production system (for which I don't control the other end of the tunnel).

Has anyone seein something like this before?

What can I do?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,722 questions
Accepted answer
  1. Praveen Bandaru 2,835 Reputation points Microsoft External Staff
    2025-04-11T21:24:27.33+00:00

    Hello Alejandro Sosa

    I understand that you're encountering an issue while uploading the certificate to the Point-to-Site.

    • Ensure the new root certificate is correctly uploaded to the Azure VPN Gateway. Double-check the thumbprint of the new root certificate to confirm it matches your expectations.
    • Make sure the client configuration file (.ovpn) correctly references the new CA certificate and the new client certificate, with accurate paths and names.
    • When adding the new certificate, first remove the old one before uploading the new root certificate.
    • In the meantime, please try testing with PowerShell and let me know if you encounter any issues.

    kindly check the public document: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps#create-the-vpn-gateway-1

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.     User's image

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eric Maussion 26 Reputation points
    2025-04-30T09:38:38.9166667+00:00

    Only coming to relate with OP and tell how unnatural this feels. It's absurd the console states the VPN gateway is updated while it still expects old root certificate(s) to be used.
    Even resetting the gateway has zero effect on updating certificates.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.