(v12.0.9365.18824 started 2025-08-22 08:40:03 on VM2)
Hints to generate certificates to be used by the Application Gateway:
Server certificates for TLS encryption and authentication: Any software certificate where "Enhanced Key Usage" contains "Server Authentication" can be used.
Client/user certificates for authentication: Any certificate (software certificate or smartcard) where "Enhanced Key Usage" contains "Client Authentication" can be used. The certificates must contain an email address, because email addresses are used by the Application Gateway to defined access rights.
Certificate generation: - Certificates can be obtained from various certification authorities (CA). - Build a CA of your own, e.g. using the built-in CA of a Microsoft Server. - Use scripts to generate certificates (example see below).
Note: Ensure that the CA certificate is installed in "Trusted Root Certification Authorities".
Hints and options concerning certificate loading can be found here.
Generate certificates using PowerShell scripts running on Windows Professional or Windows Server: - Script to generate server certificates. - Script to generate client/user certificates. You must allow PowerShell script execution, e.g. Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser At the first run a "CA" certificate will be generated to sign the certificates. To reference this certificate for later use the hash value of the certificate is stored in CAsavedHash.txt within the current directory. All generated certificates will be stored in the Microsoft certificate store of the current user. This approach is fine in a test environment and for configurations where no high security level is required. One disadvantage is that there is no certificate revocation list (CRL).
Certificate generation for RSP VPN Server with default (demo) configuration: .\GenerateServerCertificateWithCA.ps1 Saved hash of CA cannot be found or certificate not found. Generate new CA certificate? [Y/N]:Y Enter Subject: ApplicGate TestComp CA Enter Organization: TestComp Servername (* for wildcard, . if no servername, no input for exit): vpn Domain: testcomp.com Following certificate has been generated: ... CN=vpn.testcomp.com Export server certificate? [Y/N]: Y Enter password for .pfx file: vpntest Exporting vpn.testcomp.com.pfx ... Exporting vpn.testcomp.com.cer ...
Certificate generation for RSP remote with default (demo) configuration: .\GenerateUserCertificateWithCA.ps1 Username: s100.rsp Domain: testcomp.com Following certificate has been generated: ... E=s100.rsp@testcomp.com, CN=s100.rsp@testcomp.com, O=testcomp.com Export user certificate? [Y/N]: Y Enter password for .pfx file: s100rsp Exporting s100.rsp@testcomp.com.pfx ... Exporting s100.rsp@testcomp.com.cer ...
Certificate generation for RSP administrator for default (demo) configuration: .\GenerateUserCertificateWithCA.ps1 Username: test.mgmt Domain: testcomp.com Following certificate has been generated: ... E=test.mgmt@testcomp.com, CN=test.mgmt@testcomp.com, O=testcomp.com Export user certificate? [Y/N]: Y Enter password for .pfx file: testmgmt Exporting test.mgmt@testcomp.com.pfx ... Exporting test.mgmt@testcomp.com.cer ...
