Tutorial: Deploy Always On VPN - Configure Certificate Authority templates
- Previous: 1 - Setup infrastructure for Always On VPN
- Next: 3 - Configure Always On VPN profile for Windows 10+ clients
In this part of the Deploy Always On VPN tutorial, you'll create certificate templates and enroll or validate certificates for the Active Directory (AD) groups that you created in Deploy Always On VPN - Setup the environment:
You'll create the following templates:
User authentication template. With a user authentication template, you can improve certificate security by selecting upgraded compatibility levels and choosing the Microsoft Platform Crypto Provider. With the Microsoft Platform Crypto Provider, you can use a Trusted Platform Module (TPM) on client computers to secure the certificate. For an overview of TPM, see Trusted Platform Module Technology Overview. The user template will be configured for auto-enrollment.
VPN server authentication template. With a VPN server authentication template, you'll add the IP Security (IPsec) IKE Intermediate application policy. The IP Security (IPsec) IKE Intermediate application policy determines how the certificate can be used, it can allow the server to filter certificates if more than one certificate is available. Because VPN clients access this server from the public internet, the subject and alternative names are different than the internal server name. As a result, you won't configure the VPN server certificate for auto-enrollment.
NPS server authentication template. With an NPS server authentication template, you'll copy the standard RAS and IAS Servers template, and scope it for your NPS server. The new NPS server template includes the server authentication application policy.
Prerequisites
Create the user authentication template
On the CA server, which in this tutorial is the domain controller, open the Certification Authority snap-in.
In the left pane, right-click Certificate Templates and select Manage.
In the Certificate Templates console, right-click User and select Duplicate Template.
Warning
Do not select Apply or OK until you have completed entering information for all tabs. Some choices can only be configured at template creation, if you select these buttons before entering ALL parameters you cannot change them. For example, on the Cryptography tab, if Legacy Cryptographic Storage Provider shows in the Provider Category field, it becomes disabled, preventing any further change. The only alternative is to delete the template and recreate it.
In the Properties of New Template dialog box, on the General tab, complete the following steps:
In Template display name, enter VPN User Authentication.
Clear the Publish certificate in Active Directory check box.
On the Security tab, complete the following steps:
Select Add.
On the Select Users, Computers, Service Accounts, or Groups dialog, enter VPN Users, then select OK.
In Group or user names, select VPN Users.
In Permissions for VPN Users, select the Enroll and Autoenroll check boxes in the Allow column.
Important
Make sure to keep the Read permission check box selected. You'll need Read permissions for enrollment.
In Group or user names, select Domain Users, then select Remove.
On the Compatibility tab, complete the following steps:
In Certification Authority, select Windows Server 2016.
On the Resulting changes dialog, select OK.
In Certificate recipient, select Windows 10/Windows Server 2016.
On the Resulting changes dialog, select OK.
On the Request Handling tab, clear Allow private key to be exported .
On the Cryptography tab, complete the following steps:
In Provider Category, select Key Storage Provider.
Select Requests must use one of the following providers.
Select both Microsoft Platform Crypto Provider and Microsoft Software Key Storage Provider.
On the Subject Name tab, clear the Include e-mail name in subject name and E-mail name .
Select OK to save the VPN User Authentication certificate template.
Close the Certificate Templates console.
In the left pane of the Certification Authority snap-in, right-click Certificate Templates, select New and then select Certificate Template to Issue.
Select VPN User Authentication, then select OK.
Create the VPN Server authentication template
In the left pane of the Certification Authority snap-in, right-click Certificate Templates and select Manage to open the Certificate Templates console.
In the Certificate Templates console, right-click RAS and IAS Server and select Duplicate Template.
Warning
Do not select Apply or OK until you have completed entering information for all tabs. Some choices can only be configured at template creation, if you select these buttons before entering ALL parameters you cannot change them. For example, on the Cryptography tab, if Legacy Cryptographic Storage Provider shows in the Provider Category field, it becomes disabled, preventing any further change. The only alternative is to delete the template and recreate it.
On the Properties of New Template dialog box, on the General tab, in Template display name, enter VPN Server Authentication.
On the Extensions tab, complete the following steps:
Select Application Policies, then select Edit.
In the Edit Application Policies Extension dialog, select Add.
On the Add Application Policy dialog, select IP security IKE intermediate, then select OK.
Select OK to return to the Properties of New Template dialog.
On the Security tab, complete the following steps:
Select Add.
On the Select Users, Computers, Service Accounts, or Groups dialog, enter VPN Servers, then select OK.
In Group or user names, select VPN Servers.
In Permissions for VPN Servers, select Enroll in the Allow column.
In Group or user names, select RAS and IAS Servers, then select Remove.
On the Subject Name tab, complete the following steps:
Select Supply in the Request.
On the Certificate Templates warning dialog box, select OK.
Select OK to save the VPN Server certificate template.
Close the Certificate Templates console.
In the left pane of the Certificate Authority snap-in, right-click Certificate Templates. Select New and then select Certificate Template to Issue.
Select VPN Server Authentication, then select OK.
Reboot the VPN server.
Create the NPS Server authentication template
In the left pane of the Certification Authority snap-in, right-click Certificate Templates and select Manage to open the Certificate Templates console.
In the Certificate Templates console, right-click RAS and IAS Server and select Duplicate Template.
Warning
Do not select Apply or OK until you have completed entering information for all tabs. Some choices can only be configured at template creation, if you select these buttons before entering ALL parameters you cannot change them. For example, on the Cryptography tab, if Legacy Cryptographic Storage Provider shows in the Provider Category field, it becomes disabled, preventing any further change. The only alternative is to delete the template and recreate it.
On the Properties of New Template dialog box, on the General tab, in Template display name, enter NPS Server Authentication.
On the Security tab, complete the following steps:
Select Add.
On the Select Users, Computers, Service Accounts, or Groups dialog, enter NPS Servers, then select OK.
In Group or user names, select NPS Servers.
In Permissions for NPS Servers, select Enroll in the Allow column.
In Group or user names, select RAS and IAS Servers, then select Remove.
Select OK to save the NPS Server certificate template.
Close the Certificate Templates console.
In the left pane of the Certificate Authority snap-in, right-click Certificate Templates. Select New and then select Certificate Template to Issue.
Select NPS Server Authentication, then select OK.
Enroll and validate the user certificate
Because you're using Group Policy to autoenroll user certificates, you only need to update the policy, and Windows 10 will automatically enroll the user account for the correct certificate. You can then validate the certificate in the Certificates console.
To validate the user certificate:
Sign in to the VPN Windows client as the user that you created for the VPN Users group.
Press Windows key + R, type gpupdate /force, and press ENTER.
On the Start menu, type certmgr.msc, and press ENTER.
In the Certificates snap-in, under Personal, select Certificates. Your certificates appear in the details pane.
Right-click the certificate that has your current domain username, and then select Open.
On the General tab, confirm that the date listed under Valid from is today's date. If it isn't, you might have selected the wrong certificate.
Select OK, and close the Certificates snap-in.
Enroll and validate the VPN server certificate
Unlike the user certificate, you must manually enroll the VPN server's certificate.
To enroll the VPN server's certificate:
On the VPN server's Start menu, type certlm.msc to open the Certificates snap-in, and press ENTER.
Right-click Personal, select All Tasks and then select Request New Certificate to start the Certificate Enrollment Wizard.
On the Before You Begin page, select Next.
On the Select Certificate Enrollment Policy page, select Next.
On the Request Certificates page, select VPN Server Authentication.
Under the VPN server check box, select More information is required to open the Certificate Properties dialog box.
Select the Subject tab and enter the following information:
In the Subject name section:
- For Type select Common Name.
- For Value, enter the name of the external domain that clients use to connect to the VPN (for example, vpn.contoso.com).
- Select Add.
Select OK to close Certificate Properties.
Select Enroll.
Select Finish.
To validate the VPN server certificate:
In the Certificates snap-in, under Personal, select Certificates.
Your listed certificates should appear in the details pane.
Right-click the certificate that has your VPN server's name, and then select Open.
On the General tab, confirm that the date listed under Valid from is today's date. If it isn't, you might have selected the wrong certificate.
On the Details tab, select Enhanced Key Usage, and verify that IP security IKE intermediate and Server Authentication display in the list.
Select OK to close the certificate.
Enroll and validate the NPS certificate
Because you're using Group Policy to autoenroll NPS certificates, you only need to update the policy, and Windows server will automatically enroll the NPS server for the correct certificate. You can then validate the certificate in the Certificates console.
To enroll the NPS certificate:
On the NPS server's Start menu, type certlm.msc to open the Certificates snap-in, and press ENTER.
Right-click Personal, select All Tasks and then select Request New Certificate to start the Certificate Enrollment Wizard.
On the Before You Begin page, select Next.
On the Select Certificate Enrollment Policy page, select Next.
On the Request Certificates page, select NPS Server Authentication.
Select Enroll.
Select Finish.
To validate the NPS certificate:
In the Certificates snap-in, under Personal, select Certificates.
Your listed certificates should appear in the details pane.
Right-click the certificate that has your NPS server's name, and then select Open.
On the General tab, confirm that the date listed under Valid from is today's date. If it isn't, you might have selected the wrong certificate.
Select OK, and close the Certificates snap-in.