AlwaysOnVPN windows 2019 but CA is windows 2008

Orçun USTURALI 51 Reputation points
2020-09-14T08:09:22.65+00:00

Hi to all

we are running a project with the customer for AlwaysOn VPN with windows 2019 servers as RAS server.
But we stopped at the certificate creation step, since the CA server is Windows 2008 , we cannot create the same certificate templates since we dont have the same options.

When we do a search in internet, there are some links that Windows2008 CA server can be used, but they didnt mentioned how to to that.

Does anybody have a link or a guidance to follow for Wİndows2008 CA to issue the certificates that can be used for AlwaysOnVpn .

Thanks a lot

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,054 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,346 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sunny Qi 11,036 Reputation points Microsoft Vendor
    2020-09-15T06:25:15.767+00:00

    Hi,

    Thanks for posting in Q&A platform.

    >we cannot create the same certificate templates since we don't have the same options.

    Could you please help share the screenshot of the needed certificate templates and the options of certificate template for further troubleshooting?

    Best Regards,
    Sunny

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Orçun USTURALI 51 Reputation points
    2020-09-16T07:50:28.197+00:00

    Hi SunnyQi

    thanks a lot for the answer, i will share some screenshots , the first one are from windows 2008 certificate server template creation.
    The later ones are from a blog,that shows the steps to configure AlwasyOnVpn.
    One of the main question is that, we dont have a compability Menu on windows 2008 ca server, and the others can be seen in the pictures

    25115-image.png

    25116-image.png

    the below screens are from windows 2016 CA

    25152-image.png

    25100-image.png

    0 comments
  3. Sunny Qi 11,036 Reputation points Microsoft Vendor
    2020-09-17T07:49:01.16+00:00

    Hi,

    Thanks for your update.

    Based on my knowledge, windows 2008 CA server can issue certificate to windows server 2019. And if you need configure new certificate for VPN server, in Properties of New Template, we don't need to modify the compatibility and the provider Settings. For certificated needed for configuring AOVPN, please kindly refer to following steps which we have test in our lab.

    Prerequisites: if you need to configure AlwaysOn VPN, 3 certificate templates are needed.

    1. The first certificate template (we will name it "Computer <Domain Name>") will be used for the NPS server to authenticate RADIUS requests using EAP-TLS, PEAP-MSCHAPv2 or PEAP-TLS. Also, we will use this certificate for clients who are going to authenticate using a machine certificate for IKEv2 ( NOTE: Machine certificate authentication only possible in IKEv2).
    2. The second certificate template (we will name it "User <Domain Name>") will be used for the users that perform EAP-TLS and PEAP-TLS authentication methods.
    3. The third certificate template (we will name it "RAS SSL <Domain Name>") will be used by the VPN server for the SSL binding in SSTP tunnel. Also, we can use this certificate for IKEv2 tunnel connection ( IKEv2 requires a certificate in the VPN server as well ).

    Configure your Certificate templates

    Please kindly note that we do not have such windows 2008 server to test, just posted the screenshot from server 2012, but the configurations also apply for server 2008. Thank you for your understanding.

    a. Open Certificate Authority Console: click certificate templates. Right click the Computer Certificate and click Duplicate Template. Go to the General tab and add the name Computer "<Domain Name>". Select Publish certificate in Active Directory (This option will allow you the autoenrollment of the certificate by GPO if you are planning this for the future).

    25465-image1.png

    b. Go to the Subject Name tab and in the dropdown button for Subject name format, select DNS name.

    25542-image2.png

    c. Go to Security tab. Make sure Authenticated users group is there and has Read permissions. Also, make sure Domain Computers group is there and has Enroll Permissions. If you are planning to deploy Autoenrollment GPO for this certificate, you would need to select also Autoenroll for Domain Computers group.

    25466-image3.png

    25415-image4.png

    d. Right click the User certificate template and click Duplicate Template. Go to the General tab and add the name "User <Domain Name>". Select Publish certificate in Active Directory (This option will allow you the autoenrollment of the certificate by GPO).

    25522-image5.png

    e. Go to the Subject Name tab, uncheck the options "Email name" and "Include e-mail name in subject name".

    25329-image6.png

    f: Go to Security tab. Make sure Authenticated users group is there and has Read permissions. Also, make sure Domain Users group is there and has Enroll Permissions. If you are planning to deploy Autoenrollment GPO for this certificate, you would need to select also Autoenroll for Domain Computers group.

    25475-image7.png

    25467-image8.png

    g: Right click again the Web Server template and click Duplicate Template. Go to the General tab and add the name "RAS SSL <Domain Name>".

    25544-image9.png

    h: Go to the Subject Name tab, select the option Supply in the Request.

    i: Go to Extensions tab and click Edit, then click Add and select Client Authentication. Then click Ok.

    25485-image10.png

    NOTE: The certificate we are currently creating would be for the SSL binding used by SSTP. If you are planning to deploy IKEv2 in your infrastructure, you will require to use this certificate as well. However, IKEv2 requires the EKU "IP Security IKE Intermediate". So, Click on Edit again, then click Add and select IP Security IKE Intermediate. Then click Ok. If you are not going to use IKEv2, you can skip this note.

    25487-image11.png

    j: Go to Security tab. Make sure Authenticated Users group is there and has Read permissions. Click on Add. Click Object Types, select Computers, and then search for your VPN server's account, then click Ok. Select Read and Enroll permissions for the VPN server's account. Then, click Apply and Ok.

    25488-image12.png
    25545-image13.png

    k: Close the Certificate Templates Console. We have now created the necessary certificate templates. We just need to publish them to be available for enrollment. Right Click Certificate Templates and click New and then Certificate template to issue. Select all 3 certificates templates we have created before.

    Best Regards,
    Sunny

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Orçun USTURALI 51 Reputation points
    2020-09-18T07:39:13.947+00:00

    Thanks a lot for your long answer.
    Really appreciate your work on this issue.
    As soon as we got some time to work on this issue, i will try your suggestions ,and then reply back to you
    regards

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.