1
00:00:01,640 --> 00:00:05,180
So as I mentioned, Always On VPN relies on certificates issued by an

2
00:00:05,180 --> 00:00:08,620
internal private enterprise PKI for a variety of things.

3
00:00:08,620 --> 00:00:12,180
The first of those services is the VPN server itself. So let's talk

4
00:00:12,180 --> 00:00:15,660
about the requirements for the VPN server's certificate template

5
00:00:15,660 --> 00:00:18,490
that we'll create in Active Directory.

6
00:00:18,490 --> 00:00:21,540
The certificate template used for the VPN server certificate is

7
00:00:21,540 --> 00:00:25,730
a machine certificate that's issued to the VPN servers, and it

8
00:00:25,730 --> 00:00:30,100
requires two very specific Enhanced Key Usage, or EKUs, to be

9
00:00:30,100 --> 00:00:31,770
defined on that template.

10
00:00:31,770 --> 00:00:36,640
It is the Server Authentication EKU and the IP Security IKE

11
00:00:36,640 --> 00:00:41,070
Intermediate EKU. Many administrators overlook this second and rather

12
00:00:41,070 --> 00:00:46,130
crucial EKU because technically speaking, server authentication's all

13
00:00:46,130 --> 00:00:48,100
that's required for it to function.

14
00:00:48,100 --> 00:00:48,850
However,

15
00:00:48,850 --> 00:00:53,930
Windows Server relies on the IP Security IKE Intermediate EKU to

16
00:00:53,930 --> 00:00:58,240
distinguish between multiple certificates that have server authentication

17
00:00:58,240 --> 00:01:03,550
to use specifically for IPsec with IKEv2, so it's vital that we ensure

18
00:01:03,550 --> 00:01:06,880
that this certificate has both EKUs included.

19
00:01:06,880 --> 00:01:09,740
And finally, and this is equally important,

20
00:01:09,740 --> 00:01:13,650
the subject name for this certificate must be supplied in the

21
00:01:13,650 --> 00:01:18,430
request, and the reason for that is that the subject of the VPN

22
00:01:18,430 --> 00:01:23,650
server's certificate is not the server's hostname, or its NetBIOS

23
00:01:23,650 --> 00:01:26,540
name, rather it is the server's public name,

24
00:01:26,540 --> 00:01:29,480
it is the name that you will put in public DNS that your

25
00:01:29,480 --> 00:01:33,430
VPN clients will use to connect to it, and that is most

26
00:01:33,430 --> 00:01:35,650
commonly not the VPN server name.

27
00:01:35,650 --> 00:01:39,940
The VPN server might have a name like VPN1, and you might also

28
00:01:39,940 --> 00:01:43,770
have multiple servers, VPN2, VPN3, and VPN4,

29
00:01:43,770 --> 00:01:44,580
for example.

30
00:01:44,580 --> 00:01:45,840
However,

31
00:01:45,840 --> 00:01:52,550
you would probably address this entire cluster as vpn.example.com externally.

32
00:01:52,550 --> 00:01:54,690
That is the name that will be used as the subject

33
00:01:54,690 --> 00:02:04,000
for this particular certificate. So let's create this VPN server certificate template now.