Merge pull request #247396 from cherylmc/vpnps1

Vpnps1

Author: v-regandowner

articles/vpn-gateway/point-to-site-how-to-vpn-client-install-azure-cert.md

@@ -5,7 +5,7 @@ description: Learn how to install client certificates for P2S certificate authen
 author: cherylmc
 ms.service: vpn-gateway
 ms.topic: how-to
-ms.date: 07/28/2023
+ms.date: 08/07/2023
 ms.author: cherylmc
 
 ---

articles/vpn-gateway/vpn-gateway-certificates-point-to-site.md

@@ -5,7 +5,7 @@ description: Learn how to create a self-signed root certificate, export a public
 author: cherylmc
 ms.service: vpn-gateway
 ms.topic: how-to
-ms.date: 07/06/2022
+ms.date: 08/04/2023
 ms.author: cherylmc
 
 ---

articles/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps.md

@@ -5,11 +5,11 @@
  author: cherylmc
  ms.service: vpn-gateway
  ms.topic: include
- ms.date: 06/03/2021
+ ms.date: 08/07/2023
  ms.author: cherylmc
  ms.custom: include file
 ---
-1. Once the client certificate is exported, locate and copy the *.pfx* file to the client computer. 
+1. Once the client certificate is exported, locate and copy the *.pfx* file to the client computer.
 1. On the client computer, double-click the *.pfx* file to install. Leave the **Store Location** as **Current User**, and then select **Next**.
 1. On the **File** to import page, don't make any changes. Select **Next**.
 1. On the **Private key protection** page, input the password for the certificate, or verify that the security principal is correct, then select **Next**.

includes/vpn-gateway-certificates-install-client-cert-include.md

@@ -5,11 +5,11 @@
  author: cherylmc
  ms.service: vpn-gateway
  ms.topic: include
- ms.date: 04/29/2022
+ ms.date: 08/07/2023
  ms.author: cherylmc
  ms.custom: include file
 ---
-You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. That way, you're testing to see if you can connect, not whether name resolution is configured properly.
+You can connect to a VM that's deployed to your VNet by creating a Remote Desktop Connection to your VM. The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. That way, you're testing to see if you can connect, not whether name resolution is configured properly.
 
 1. Locate the private IP address. You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.
 

includes/vpn-gateway-connect-vm.md

@@ -2,7 +2,7 @@
  ms.topic: include
  author: cherylmc
  ms.service: vpn-gateway
- ms.date: 05/23/2022
+ ms.date: 08/04/2023
  ms.author: cherylmc
 
 # This include is used for both Virtual WAN and VPN Gateway articles. Any changes you make must apply address both services.
@@ -12,40 +12,59 @@
 
 Use the New-SelfSignedCertificate cmdlet to create a self-signed root certificate. For additional parameter information, see [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate).
 
-1. From a computer running Windows 10 or later, or Windows Server 2016, open a Windows PowerShell console with elevated privileges. These examples don't work in the Azure Cloud Shell "Try It". You must run these examples locally.
-1. Use the following example to create the self-signed root certificate. The following example creates a self-signed root certificate named 'P2SRootCert' that is automatically installed in 'Certificates-Current User\Personal\Certificates'. You can view the certificate by opening *certmgr.msc*, or *Manage User Certificates*.
+1. From a computer running Windows 10 or later, or Windows Server 2016, open a Windows PowerShell console with elevated privileges.
+1. Create a self-signed root certificate. The following example creates a self-signed root certificate named 'P2SRootCert' that's automatically installed in 'Certificates-Current User\Personal\Certificates'. You can view the certificate by opening *certmgr.msc*, or *Manage User Certificates*.
 
-   Run the following example with any necessary modifications.
+   Make any needed modifications before using this sample. The 'NotAfter' parameter is optional. By default, without this parameter, the certificate expires in 1 year.
 
    ```powershell
-   $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-   -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-   -HashAlgorithm sha256 -KeyLength 2048 `
-   -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
+   $params = @{
+       Type = 'Custom'
+       Subject = 'CN=P2SRootCert'
+       KeySpec = 'Signature'
+       KeyExportPolicy = 'Exportable'
+       KeyUsage = 'CertSign'
+       KeyUsageProperty = 'Sign'
+       KeyLength = 2048
+       HashAlgorithm = 'sha256'
+       NotAfter = (Get-Date).AddMonths(24)
+       CertStoreLocation = 'Cert:\CurrentUser\My'
+   }
+   New-SelfSignedCertificate @params
    ```
 
 1. Leave the PowerShell console open and proceed with the next steps to generate a client certificate.
 
 ## <a name="clientcert"></a>Generate a client certificate
 
-Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate isn't installed, authentication fails. 
+Each client computer that connects to a VNet using point-to-site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate isn't installed, authentication fails.
 
-The following steps walk you through generating a client certificate from a self-signed root certificate. You may generate multiple client certificates from the same root certificate. When you generate client certificates using the steps below, the client certificate is automatically installed on the computer that you used to generate the certificate. If you want to install a client certificate on another client computer, you can export the certificate.
+The following steps walk you through generating a client certificate from a self-signed root certificate. You may generate multiple client certificates from the same root certificate. When you generate client certificates using the steps below, the client certificate is automatically installed on the computer that you used to generate the certificate. If you want to install a client certificate on another client computer, export the certificate.
 
-The examples use the New-SelfSignedCertificate cmdlet to generate a client certificate that expires in one year. For additional parameter information, such as setting a different expiration value for the client certificate, see [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate).
+The examples use the [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate) cmdlet to generate a client certificate.
 
 ### Example 1 - PowerShell console session still open
 
 Use this example if you haven't closed your PowerShell console after creating the self-signed root certificate. This example continues from the previous section and uses the declared '$cert' variable. If you closed the PowerShell console after creating the self-signed root certificate, or are creating additional client certificates in a new PowerShell console session, use the steps in [Example 2](#ex2).
 
-Modify and run the example to generate a client certificate. If you run the following example without modifying it, the result is a client certificate named 'P2SChildCert'.  If you want to name the child certificate something else, modify the CN value. Don't change the TextExtension when running this example. The client certificate that you generate is automatically installed in 'Certificates - Current User\Personal\Certificates' on your computer.
+Modify and run the example to generate a client certificate. If you run the following example without modifying it, the result is a client certificate named 'P2SChildCert'. If you want to name the child certificate something else, modify the CN value. Don't change the TextExtension when running this example. The client certificate that you generate is automatically installed in 'Certificates - Current User\Personal\Certificates' on your computer.
 
 ```powershell
-New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
--Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
--HashAlgorithm sha256 -KeyLength 2048 `
--CertStoreLocation "Cert:\CurrentUser\My" `
--Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
+
+   $params = @{
+       Type = 'Custom'
+       Subject = 'CN=P2SChildCert'
+       DnsName = 'P2SChildCert'
+       KeySpec = 'Signature'
+       KeyExportPolicy = 'Exportable'
+       KeyLength = 2048
+       HashAlgorithm = 'sha256'
+       NotAfter = (Get-Date).AddMonths(18)
+       CertStoreLocation = 'Cert:\CurrentUser\My'
+       TextExtension = @(
+        '2.5.29.37={text}1.3.6.1.5.5.7.3.2')
+   }
+   New-SelfSignedCertificate @params
 ```
 
 ### <a name="ex2"></a>Example 2 - New PowerShell console session
@@ -82,11 +101,20 @@ If you're creating additional client certificates, or aren't using the same Powe
 1. Modify and run the example to generate a client certificate. If you run the following example without modifying it, the result is a client certificate named 'P2SChildCert'. If you want to name the child certificate something else, modify the CN value. Don't change the TextExtension when running this example. The client certificate that you generate is automatically installed in 'Certificates - Current User\Personal\Certificates' on your computer.
 
    ```powershell
-   New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-   -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-   -HashAlgorithm sha256 -KeyLength 2048 `
-   -CertStoreLocation "Cert:\CurrentUser\My" `
-   -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
+   $params = @{
+       Type = 'Custom'
+       Subject = 'CN=P2SChildCert'
+       DnsName = 'P2SChildCert1'
+       KeySpec = 'Signature'
+       KeyExportPolicy = 'Exportable'
+       KeyLength = 2048
+       HashAlgorithm = 'sha256'
+       NotAfter = (Get-Date).AddMonths(18)
+       CertStoreLocation = 'Cert:\CurrentUser\My'
+       TextExtension = @(
+        '2.5.29.37={text}1.3.6.1.5.5.7.3.2')
+   }
+   New-SelfSignedCertificate @params
    ```
 
 ## <a name="cer"></a>Export the root certificate public key (.cer)

includes/vpn-gateway-generate-export-certificates-include.md

@@ -2,7 +2,7 @@
  author: cherylmc
  ms.service: vpn-gateway
  ms.topic: include
- ms.date: 11/21/2022
+ ms.date: 08/07/2023
  ms.author: cherylmc
 
 ---

includes/vpn-gateway-p2s-architecture.md

@@ -2,11 +2,11 @@
  ms.topic: include
  author: cherylmc
  ms.service: vpn-gateway
- ms.date: 05/23/2022
+ ms.date: 08/07/2023
  ms.author: cherylmc
 
 ---
-Each client computer that you connect to a VNet with a Point-to-Site connection must have a client certificate installed. You generate it from the root certificate and install it on each client computer. If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.
+Each client computer that you connect to a VNet with a point-to-site connection must have a client certificate installed. You generate it from the root certificate and install it on each client computer. If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.
 
 You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. The advantage to generating unique client certificates is the ability to revoke a single certificate. Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client that uses that certificate.
 

includes/vpn-gateway-p2s-clientcert-include.md

@@ -2,14 +2,14 @@
  ms.topic: include
  author: cherylmc
  ms.service: vpn-gateway
- ms.date: 05/23/2022
+ ms.date: 08/07/2023
  ms.author: cherylmc
 ---
 Obtain the .cer file for the root certificate. You can use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. You upload this file later to Azure.
 
 * **Enterprise certificate:** If you're using an enterprise solution, you can use your existing certificate chain. Acquire the .cer file for the root certificate that you want to use.
-* **Self-signed root certificate:** If you aren't using an enterprise certificate solution, create a self-signed root certificate. Otherwise, the certificates you create won't be compatible with your P2S connections and clients will receive a connection error when they try to connect. You can use Azure PowerShell, MakeCert, or OpenSSL. The steps in the following articles describe how to generate a compatible self-signed root certificate:
+* **Self-signed root certificate:** If you aren't using an enterprise certificate solution, create a self-signed root certificate. Otherwise, the certificates you create won't be compatible with your P2S connections and clients receive a connection error when they try to connect. You can use Azure PowerShell, MakeCert, or OpenSSL. The steps in the following articles describe how to generate a compatible self-signed root certificate:
 
-  * [Windows 10 or later PowerShell instructions](../articles/vpn-gateway/vpn-gateway-certificates-point-to-site.md): These instructions require Windows 10 or later and PowerShell to generate certificates. Client certificates that are generated from the root certificate can be installed on any supported P2S client.
-  * [MakeCert instructions](../articles/vpn-gateway/vpn-gateway-certificates-point-to-site-makecert.md): Use MakeCert if you don't have access to a Windows 10 or later computer to use to generate certificates. Although MakeCert is deprecated, you can still use it to generate certificates. Client certificates that you generate from the root certificate can be installed on any supported P2S client.
+  * [PowerShell instructions for Windows 10 or later](../articles/vpn-gateway/vpn-gateway-certificates-point-to-site.md): These instructions require PowerShell on a computer running Windows 10 or later. Client certificates that are generated from the root certificate can be installed on any supported P2S client.
+  * [MakeCert instructions](../articles/vpn-gateway/vpn-gateway-certificates-point-to-site-makecert.md): Use MakeCert to generate certificates if you don't have access to a computer running Windows 10 or later. Although MakeCert is deprecated, you can still use it to generate certificates. Client certificates that you generate from the root certificate can be installed on any supported P2S client.
   * [Linux instructions](../articles/vpn-gateway/vpn-gateway-certificates-point-to-site-linux.md).

includes/vpn-gateway-p2s-rootcert-include.md

@@ -1,9 +1,9 @@
 ---
 author: cherylmc
 ms.author: cherylmc
-ms.date: 06/14/2023
+ms.date: 08/04/2023
 ms.service: vpn-gateway
 ms.custom:
 ms.topic: include
 ---
-You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlets are updated frequently. If you have not installed the latest version, the values specified in the instructions may fail. To find the versions of Azure PowerShell installed on your computer, use the `Get-Module -ListAvailable Az` cmdlet. To install or update, see [Install the Azure PowerShell module](/powershell/azure/install-azure-powershell).
+You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlets are updated frequently. If you haven't installed the latest version, the values specified in the instructions may fail. To find the versions of Azure PowerShell installed on your computer, use the `Get-Module -ListAvailable Az` cmdlet. To install or update, see [Install the Azure PowerShell module](/powershell/azure/install-azure-powershell).