Merge pull request #295339 from cherylmc/managed-identity

add note - vpn gateway

Author: prmerger-automator[bot]

articles/vpn-gateway/point-to-site-certificate-client-linux-azure-vpn-client.md

@@ -6,8 +6,10 @@ author: cherylmc
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: how-to
-ms.date: 09/06/2024
+ms.date: 02/26/2025
 ms.author: cherylmc
+
+# This disclaimer is in the "vpn-gateway-vwan-azure-vpn-client-certificate-linux" include file, so it doesn't need to be repeated in the article. "Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable."
 ---
 
 # Configure Azure VPN Client – Certificate authentication OpenVPN – Linux (Preview)
@@ -27,7 +29,7 @@ Verify that you are on the correct article. The following table shows the config
 This article assumes that you've already performed the following prerequisites:
 
 * The VPN gateway is configured for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.
-* VPN client profile configuration files have been generated and are available. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.
+* VPN client profile configuration files are already generated and are available. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.
 
 [!INCLUDE [Configuration steps](../../includes/vpn-gateway-vwan-azure-vpn-client-certificate-linux.md)]
 

articles/vpn-gateway/point-to-site-certificates-linux-openssl.md

@@ -6,7 +6,7 @@ author: cherylmc
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: how-to
-ms.date: 06/24/2024
+ms.date: 02/26/2025
 ms.author: cherylmc
 ---
 # Generate and export certificates - Linux - OpenSSL
@@ -36,6 +36,9 @@ This section helps you generate a self-signed root certificate. After you genera
 
 ## Client certificates
 
+> [!NOTE]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
 In this section, you generate the user certificate (client certificate). Certificate files are generated in the local directory in which you run the commands. You can use the same client certificate on each client computer, or generate certificates that are specific to each client. It's crucial that the client certificate is signed by the root certificate.
 
 1. To generate a client certificate, use the following examples.

articles/vpn-gateway/point-to-site-vpn-client-configuration-radius-password.md

@@ -7,17 +7,19 @@ ms.custom: linux-related-content
 ms.topic: how-to
 author: cherylmc
 ms.author: cherylmc 
-ms.date: 05/23/2024
+ms.date: 02/26/2025
 ---
 # Configure a VPN client for point-to-site: RADIUS - password authentication
 
 To connect to a virtual network over point-to-site (P2S), you need to configure the client device that you'll connect from. You can create P2S VPN connections from Windows, macOS, and Linux client devices. This article helps you create and install the VPN client configuration for username/password RADIUS authentication.
 
+> [!NOTE]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
 When you're using RADIUS authentication, there are multiple authentication instructions: [certificate authentication](point-to-site-vpn-client-configuration-radius-certificate.md), [password authentication](point-to-site-vpn-client-configuration-radius-password.md), and [other authentication methods and protocols](point-to-site-vpn-client-configuration-radius-other.md). The VPN client configuration is different for each type of authentication. To configure a VPN client, you use client configuration files that contain the required settings.
 
 > [!NOTE]
 > [!INCLUDE [TLS](../../includes/vpn-gateway-tls-change.md)]
->
 
 ## Workflow
 

articles/vpn-gateway/vpn-gateway-certificates-point-to-site-linux.md

@@ -6,8 +6,10 @@ author: cherylmc
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: how-to
-ms.date: 06/24/2024
+ms.date: 02/26/2025
 ms.author: cherylmc
+
+# The note "Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable." is in the vpn-gateway-strongswan-certificates-include file.
 ---
 # Generate and export certificates - Linux (strongSwan)
 

includes/vpn-gateway-strongswan-certificates-include.md

@@ -1,13 +1,9 @@
 ---
- title: include file
- description: include file
- services: vpn-gateway
  author: cherylmc
  ms.service: azure-vpn-gateway
  ms.topic: include
- ms.date: 09/12/2019
+ ms.date: 02/26/2025
  ms.author: cherylmc
- ms.custom: include file
 ---
 
 Generate the CA certificate.
@@ -17,14 +13,17 @@ Generate the CA certificate.
   ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem
   ```
 
-Print the CA certificate in base64 format. This is the format that is supported by Azure. You upload this certificate to Azure as part of the [P2S configuration steps](../articles/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.md).
+Print the CA certificate in base64 format, the format that Azure supports. You upload this certificate to Azure as part of the [P2S configuration steps](../articles/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.md).
 
   ```
   openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo
   ```
 
 Generate the user certificate.
 
+> [!NOTE]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
   ```
   export PASSWORD="password"
   export USERNAME=$(hostnamectl --static)

includes/vpn-gateway-vwan-azure-vpn-client-certificate-linux.md

@@ -30,6 +30,9 @@ For certificate authentication, a client certificate must be installed on each c
 
 Generate the client public certificate data and private key in **.pem** format using the following commands. To run the commands, you need to have the public Root certificate **caCert.pem** and the private key of Root certificate **caKey.pem**. For more information, see [Generate and export certificates - Linux - OpenSSL](../articles/vpn-gateway/point-to-site-certificates-linux-openssl.md).
 
+> [!NOTE]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
 ```
 export PASSWORD="password"
 export USERNAME=$(hostnamectl --static)