[az network vpn-connection create] --shared-key incorrectly required when auth-type is Certificate

[brandonv191]

Describe the bug

#32380 There was a feature added previously to allow vpn gateway connections to use certificate-based authentication rather than pre-shared key (psk).

There is a validation that blocks connection using cert based auth if the user does not included a --shared-key

Shared key is not required for certificate-based authentication as this is only a requirement for psk based auth

Repro:
sample command:

az network vpn-connection create -g rggrouptest -n reproBug `
--vnet-gateway1 certAuthGateway --local-gateway2 azlnip2 `
 --auth-type Certificate --cert-auth "@certauth.json"

Will throw the following error:
-shared-key is required for VNET-to-VNET or Site-to-Site connections.

Related command

az network vpn-connection create

Errors

az network vpn-connection create -g rggrouptest -n reproBug `
--vnet-gateway1 certAuthGateway --local-gateway2 azlnip2 `
 --auth-type Certificate --cert-auth "@certauth.json"`

gives:

--shared-key is required for VNET-to-VNET or Site-to-Site connections.

Issue script & Debug output

--vnet-gateway1 certAuthGateway --local-gateway2 azlnip2 `

--auth-type Certificate --cert-auth "@certauth.json" --debug
cli.knack.cli: Command arguments: ['network', 'vpn-connection', 'create', '-g', 'rggrouptest', '-n', 'reproBug', '--vnet-gateway1', 'certAuthGateway', '--local-gateway2', 'azlnip2', '--auth-type', 'Certificate', '--cert-auth', '@certauth.json', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x023BE618>, <function OutputProducer.on_global_arguments at 0x02702708>, <function CLIQuery.on_global_arguments at 0x02727988>]
cli.azure.cli.core.util: attempting to read file certauth.json as utf-8-sig
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Using packaged command index for profile 'latest'.
cli.azure.cli.core: Found installed extension 'azure-devops' (azext_devops).
cli.azure.cli.core: Blending packaged core index with local extension index.
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns', 'azext_vwan']
cli.azure.cli.core: Loading command modules...
cli.azure.cli.core: Loaded command modules in parallel:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: privatedns 0.326 14 60
cli.azure.cli.core: network 0.790 122 500
cli.azure.cli.core: Total (2) 0.800 136 560
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\OpenSSL/_util.py:8: UserWarning: You are using cryptography on a 32-bit Python on a 64-bit Windows Operating System. Cryptography will be significantly faster if you switch to using a 64-bit Python.
cli.azure.cli.core: virtual-wan 0.268 21 77 C:\Users\brandonvilla.azure\cliextensions\virtual-wan
cli.azure.cli.core: Total (1) 0.268 21 77
cli.azure.cli.core: Loaded 155 groups, 637 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : network vpn-connection create
cli.azure.cli.core: Command table: network vpn-connection create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x028D2348>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\brandonvilla.azure\commands\2026-06-09.09-55-27.network_vpn-connection_create.39228.log'.
az_command_data_logger: command args: network vpn-connection create -g {} -n {} --vnet-gateway1 {} --local-gateway2 {} --auth-type {} --cert-auth {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x02905D98>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x02905DE8>, <function register_global_policy_argument..add_global_policy_argument at 0x02905ED8>, <function register_cache_arguments..add_cache_arguments at 0x02905F28>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x02905F78>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02702758>, <function CLIQuery.handle_query_parameter at 0x027279D8>, <function register_ids_argument..parse_ids_arguments at 0x02905E88>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ResourceManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\brandonvilla\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\brandonvilla.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.application: Broker enabled? True
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 8d833078-de7c-49aa-9518-88b0d310ab31
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/c2c3dbfc-17e1-4df2-8c67-acba5fccb1e5/resourcegroups/rggrouptest?api-version=2024-11-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '034efe74-6424-11f1-8bfe-000d3afb6599'
cli.azure.cli.core.sdk.policies: 'CommandName': 'network vpn-connection create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '-g -n --vnet-gateway1 --local-gateway2 --auth-type --cert-auth --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.87.0 (MSI) azsdk-python-core/1.39.0 Python/3.13.13 (Windows-11-10.0.26100-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/c2c3dbfc-17e1-4df2-8c67-acba5fccb1e5/resourcegroups/rggrouptest?api-version=2024-11-01 HTTP/1.1" 200 236
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '236'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '1099'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '16499'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '998d41f8-97cb-4bee-94dd-3a62197736e0'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '998d41f8-97cb-4bee-94dd-3a62197736e0'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTCENTRALUS:20260609T165528Z:998d41f8-97cb-4bee-94dd-3a62197736e0'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: C6E9F01D25064240A4CDE85CAFDC9B0C Ref B: CO6AA3150219053 Ref C: 2026-06-09T16:55:28Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 09 Jun 2026 16:55:28 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/c2c3dbfc-17e1-4df2-8c67-acba5fccb1e5/resourceGroups/rggrouptest","name":"rggrouptest","type":"Microsoft.Resources/resourceGroups","location":"westcentralus","tags":{},"properties":{"provisioningState":"Succeeded"}}
cli.azure.cli.core.commands.validators: using location 'westcentralus' from resource group 'rggrouptest'
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 665, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/invocation.py", line 111, in _validation
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 1001, in _validate_cmd_level
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/network/_validators.py", line 672, in process_vpn_connection_create_namespace
knack.util.CLIError: --shared-key is required for VNET-to-VNET or Site-to-Site connections.

cli.azure.cli.core.azclierror: --shared-key is required for VNET-to-VNET or Site-to-Site connections.
az_command_data_logger: --shared-key is required for VNET-to-VNET or Site-to-Site connections.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x028D2488>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 2.998 seconds (init: 0.269, invoke: 2.729)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4121 in cache file under C:\Users\brandonvilla.azure\telemetry\20260609095529025
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc C:\Users\brandonvilla.azure C:\Users\brandonvilla.azure\telemetry\20260609095529025"
telemetry.process: Return from creating process 29668
telemetry.main: Finish creating telemetry upload process.

Expected behavior

The command should pass. --shared-key is not required for auth type -cert

Environment Summary

az --version
azure-cli 2.87.0

core 2.87.0
telemetry 1.1.0

Extensions:
azure-devops 1.0.2
resource-graph 2.1.1
virtual-wan 1.0.1

Dependencies:
msal 1.36.0
azure-mgmt-resource 24.0.0

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\brandonvilla.azure'
Extensions directory 'C:\Users\brandonvilla.azure\cliextensions'

Python (Windows) 3.13.13 (tags/v3.13.13:01104ce, Apr 7 2026, 19:11:29) [MSC v.1944 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.