The Azure VPN client XML file created for my virtual network gateway will not import into Azure VPN

I imported the Certificate imported to Current User > Personal > Certificates, but not to Current User > Trusted Root Certification Authorities and Local Computer > Trusted Root Certification Authorities. What is the Root Certificate? Where do I get that from?

Hi @Stephen Siggs ,

I’ve run into this issue before — in my case, the Azure VPN client refused to import the XML because the certificate setup didn’t line up correctly. Here are a few things worth checking:

1. Certificate match: Make sure the public certificate you uploaded in the point-to-site configuration matches the private certificate installed in your Personal → Certificates store on your PC. If they don’t come from the same key pair, the client XML won’t import.

Certificate format: The uploaded file should be a Base-64 encoded .cer (public key only). If you uploaded a .pfx or anything with a private key, the import will fail.

New client package: After updating the certificate, always re-download the VPN client package from the Azure portal. The old package is tied to the previous cert and won’t work anymore.

No manual edits: Don’t open or change the azurevpnconfig.xml file — even small edits can break the schema and make the Azure VPN Client reject it.

Client version: Double-check that you’re using the latest Azure VPN Client from the Microsoft Store. Older versions sometimes fail to parse configs created by newer gateways.

If you’ve gone through all this and it still won’t import, try creating a new self-signed certificate (New-SelfSignedCertificate in PowerShell), upload its public part again, and re-download the client files. That often clears out any hidden mismatch.

Let me know what happens when you try these steps — it’ll help narrow down whether it’s a cert or client issue.

Hello @Stephen Siggs,

The root certificate refers to the Azure gateway certificate. Please also follow the steps suggested by RevelionB and let us know if you need any additional help.

It turns out that the SSL Certificate we were using is somehow not compatible for use with Azure VPN. I don't really understand why, but neither a Wildcard and Business SSL Certificate sourced from Sectigo via IONOS worked in Azure VPN. Instead we purchased a Standard SSL for the same domain from Go Daddy and it worked first time.

It's really strange because we were happily using an IONOS supplier Wildcard SSL for 2-3 years before this for exactly the same domain and VPN connection - it worked fine. Just this year when we came to renew it, it's failed.

Hello @Stephen Siggs,

Could you check if the IONOS certificate matches the correct format shown below? According to the Microsoft document, this is the required format for the root certificate.

$params = @{
    Type = 'Custom'
    Subject = 'CN=P2SRootCert'
    KeySpec = 'Signature'
    KeyExportPolicy = 'Exportable'
    KeyUsage = 'CertSign'
    KeyUsageProperty = 'Sign'
    KeyLength = 2048
    HashAlgorithm = 'sha256'
    NotAfter = (Get-Date).AddMonths(24)
    CertStoreLocation = 'Cert:\CurrentUser\My'
}
$cert = New-SelfSignedCertificate @params

If the GoDaddy certificate is working, please verify whether the same parameters are present in IONOS. If they are not, kindly check with the IONOS team.

According to the security complaints, the certificate parameters are being updated. Please check with the IONOS team to obtain the latest certificate with valid parameters.

Reference document: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#rootcert

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.