1 00:00:00,440 --> 00:00:04,470 Certificates are used throughout the Always On VPN infrastructure so a 2 00:00:04,470 --> 00:00:07,340 discussion about PKI and certificates is critical. 3 00:00:07,340 --> 00:00:09,650 We'll need certificates for a variety of things, 4 00:00:09,650 --> 00:00:10,320 for example, 5 00:00:10,320 --> 00:00:15,030 we'll need to install certificates on the VPN servers and the NPS servers. 6 00:00:15,030 --> 00:00:17,920 And there are a couple of different capabilities that are 7 00:00:17,920 --> 00:00:19,770 enabled when we put certificates there. 8 00:00:19,770 --> 00:00:22,480 We'll also need to issue certificates to our VPN users 9 00:00:22,480 --> 00:00:24,640 to authenticate them on the VPN, 10 00:00:24,640 --> 00:00:26,880 as well as the devices that are performing 11 00:00:26,880 --> 00:00:29,050 device‑based connections or device tunnels, 12 00:00:29,050 --> 00:00:33,540 we'll need to install a certificate on those devices as well. 13 00:00:33,540 --> 00:00:39,060 The VPN server requires a certificate issued by the internal CA for IKEv2. 14 00:00:39,060 --> 00:00:45,030 When running SSTP, it's recommended that a public SSL or TLS certificate be used. 15 00:00:45,030 --> 00:00:49,850 While it is technically possible to use an internal certificate for SSTP, 16 00:00:49,850 --> 00:00:52,840 it should be avoided in most scenarios. 17 00:00:52,840 --> 00:00:56,260 Clients perform revocation checks on the SSTP certificate when they 18 00:00:56,260 --> 00:00:59,040 establish a VPN connection using that protocol. 19 00:00:59,040 --> 00:01:05,400 Most internal CAs or PKIs don't expose their CRL infrastructure publicly, 20 00:01:05,400 --> 00:01:07,600 so that CRL check will fail. 21 00:01:07,600 --> 00:01:08,460 Also, 22 00:01:08,460 --> 00:01:12,240 public CA operators have a much more robust and much more 23 00:01:12,240 --> 00:01:15,670 resilient and higher performing CRL infrastructure, 24 00:01:15,670 --> 00:01:20,540 ensuring reliable operation for your VPN clients using SSTP, 25 00:01:20,540 --> 00:01:26,040 so use a public SSL or TLS certificate for SSTP as much as possible. 26 00:01:26,040 --> 00:01:31,430 Both IKEv2, and SSTP certificates require the server authentication EKU. 27 00:01:31,430 --> 00:01:34,640 The certificate used by IKEv2 however, 28 00:01:34,640 --> 00:01:39,840 requires the IP security like IKE intermediate EKU as well. 29 00:01:39,840 --> 00:01:42,190 Certificates are also issued to NPS servers. 30 00:01:42,190 --> 00:01:45,840 They must include the server authentication EKU. 31 00:01:45,840 --> 00:01:49,470 VPN users will require a certificate with the client 32 00:01:49,470 --> 00:01:53,460 authentication EKU as well as VPN devices. 33 00:01:53,460 --> 00:01:57,300 And certificates for NPS servers, VPN users, 34 00:01:57,300 --> 00:02:02,840 and VPN devices should all be issued by the internal private CA. 35 00:02:02,840 --> 00:02:04,310 An important note here, 36 00:02:04,310 --> 00:02:07,500 ensure that when you're provisioning these certificates for 37 00:02:07,500 --> 00:02:10,210 anything that is a mobile or portable device, 38 00:02:10,210 --> 00:02:12,770 so laptops, and tablets, and so forth, 39 00:02:12,770 --> 00:02:16,110 make sure that those certificates are issued only to 40 00:02:16,110 --> 00:02:20,290 devices with a Trusted Platform Module, or TPM. 41 00:02:20,290 --> 00:02:21,340 Without TPM, 42 00:02:21,340 --> 00:02:24,250 the certificate private keys are simply stored on disk 43 00:02:24,250 --> 00:02:27,190 and protected by NTFS file permissions. 44 00:02:27,190 --> 00:02:31,540 Anyone with administrator privileges can extract those keys. 45 00:02:31,540 --> 00:02:34,850 Storing those keys in the TPM ensures that no one, 46 00:02:34,850 --> 00:02:41,000 including a local administrator, can export those certificates and keys and use them on another endpoint.