3 Ways to Get Rid of the Certificate Validation Failure on VPNs
- The most common reason for certificate validation failure on VPN is an expired certificate.
- VPN certificates are essential because they are a more secure way for authentication than preshared keys.
- Users reported that updating the certificate will solve the certificate validation failure error.
VPN, an acronym for Virtual Privacy Networks has certificates by a public authority that manages them. They are essential electronic documents, as VPN devices use them to indicate if they are the ones you connect to. Thus, it is imperative to quickly fix any VPN certificate validation failure.
Digital certificates of VPN are also used for authentication, and this is more secure than preshared keys. VPN certificates expire due to security reasons and when there is a need to replace them.
It used to take a more extended period of time for a valid VPN certificate to last, however, in 2021, SSL certificate expiration was reduced and a valid certificate lasted for 12 months only.
Still, this may not be the sole reason you are getting a failure in certificate validation. There are many other reasons why this may be happening with Cisco or some other VPN service provider.
Virtual Privacy Networks improve your security and privacy as you browse the Internet, which is why people use them. Therefore if you cannot validate VPN security, the purpose of getting the VPN in the first place is defeated.
How do I get a VPN certificate?
- Visit the Azure portal as an administrator.
- Click on Azure Active Directory on the left menu.
- Go to the Manage section in the Azure Active Directory menu and click on Security.
- Click on the Protect section on the Security page and select Conditional Access.
- Go to the Policies page on the Conditional access page and click on VPN Connectivity.
- Click New Certificate and generate one for yourself.
To have access to generate a new VPN certificate, you need to create an Azure Microsoft account. Microsoft has a free trial that you can use to gain access before you need to pay.
When your VPN certificate expires, you need to update it. If you do not update your VPN certificate, you lose security and become exposed to threats that make your private and classified information vulnerable.
How do I update my VPN certificate?
In order to update your VPN certificate, you will have to enter the Certificates – Local Computer app from your system and tweak your current certificate.
For an in-depth, step-by-step guide on how to achieve this, follow the second solution from the list below in order to update your VPN certificate.
Do VPN certificates expire?
VPN certificates are issued with an expiration date for the sake of increased security. After that date has passed, the certificates must be updated with fresh ones.
There is a validity period of three years attached to the VPN certificates that were issued by both the Internal RSA CA for Gateways and the Internal ECDSA CA.
How do I fix VPN validation failure?
1. Check the validity of your VPN certificate
- Press the Windows and R keys on your device to open the Run tab and type in mmc then press Enter.
- Click on the File option in the top right corner and select Add/Remove Snap-in from the drop-down menu.
- Choose Certificates from the Available snap-ins section then click on the Add button.
- From the three options, click on My User Account.
These steps will enable you access to the current User certificates to see the certificate that you have in the system. When you double-click on the certificate, you can see the details, which include the validity and expiry date.
After you check, and find that your VPN certificate may have expired, proceed to renew it.
2. Update your VPN certificate
- Click on the magnifying glass icon from your Taskbar then type in certlm.msc and select the topmost result.
- Right-click on the open space and select All Tasks.
- Click on Advanced Operations and select Create Custom Request.
- Select Proceed without enrollment and continue with the onscreen steps.
- Click on the arrow next to Details and select Properties from the drop-down menu.
- Name the certificate a title that is easy to remember then click on Subject and select common name from the Full QDN drop-down menu.
- Enter the Fully Qualified Domain Name and click Add followed by Next.
- Go back to Properties and select the Extensions tab.
- Select Extended Key Usage, and click on Server Authentication and Add.
- Click on the Private Key tab then select Cryptographic service provider and check the Microsoft RSA or Microsoft DH option as you wish.
- Save everything by clicking on Apply and OK then click on the magnifying glass icon on your Taskbar and type PowerShell. Finally, click on the topmost result in order to open it.
- Type in the following command and press Enter:
- On the next line, type in the following command and replace the FILE_NAME with your certificate’s name:
- Copy the content of the file and submit it to your public certification authority for signing.
To fix certificate validation failure VPN Cisco, and certificate validation failure VPN anyconnect, you have to first verify that the hostname and host address are still valid and then check if the certificate has expired before you proceed to install a new certificate or update the existing one.
3. Turn on OCSP Nonce on the Windows server
- Press the Windows and R keys to open a command bar and type certlm.msc to open the Certificate Service Management Console.
- Select Certificate template from the left menu and click on Manage then find OCSP Respond Signing from the drop-down menu and select it.
- Right-click on it and select Properties.
- Click on the Security tab and add the server that will be hosting the OCSP services.
- Check Read and Enrol then go back to Certificate template. Click on New, select Certificate Template to issue, and choose OCSP signing.
- Click on the certificate server and select Properties.
- Select the Extension tab and choose Authority Information Access. Select the URL of the server and click on Add.
- Go to the dashboard of the server manager of the OCSP service and click on Add roles and features.
- Check Active directory services and select Role services. Uncheck Certification Authority and check Online Responder.
- Launch the Online Responder management console.
OCSP is Online Certificate Status Protocol, and it is a method that browsers use to ensure that a security certificate is valid. Enabling OCSP service nonce protects secure network communication.
Microsoft Windows uses RFC 5019 while Cisco AnyConnect VPN ASA uses RFC 2560. This disparity causes VPN validation failure, and as such needs fixing.
When OpenVPN certificate verification failed and VPN certificate validation failure occurs, these are the steps that you can follow to rectify them.
Also, for IBM VPN certificate validation failure, there is a renew certificate application in the IBM store that can help you with renewing your certificate if it is outdated.
How do I add a VPN certificate to Windows 10/11?
- Open Settings by holding Windows and I together then go to Network and Internet followed by VPN.
- Click on Add VPN.
- On the dropdown menu, select Windows built-in as the VPN provider.
- Type in a name for the VPN connection in the Connection name field.
- Get the server name and address from the provider and type it into the Server address field.
- In the Type-of-sign-in info bar, type in the one your VPN provider uses and click on Save.
- When the name of the VPN appears, connect to it.
Is there any good 3rd party VPN for business?
There is another security method to protect all your business data and avoid certificate validation failure for your VPN protection.
You can use the Perimeter 81 as a Zero Trust Application Access software and secure any sensitive data from public use. This way, you guarantee private communication with IPSec or WireGuard technology.
Plus, it provides safer digital support against data leaking or cyber threats with access by role, a cloud-based interface, or monitoring tools.
In conclusion, VPN is vital because of the protection and security that users get from it. These steps will fix the validation failure that pops up. However, if these do not work, you can disconnect completely and start a new connection.
Check out our post with the five best VPNs for Windows 11, after 3 months of usage and tests, to decide which one to get on your devices.
We hope our guide proved to be useful to you. Don’t hesitate to share your thoughts with us in the comments section below. Thanks for reading!