1
00:00:02,240 --> 00:00:06,080
So here we are on our issuing CA server, and we need to open the

2
00:00:06,080 --> 00:00:09,790
Certificate Templates management console, and the easiest way to

3
00:00:09,790 --> 00:00:14,130
do that is to open the Certification Authority management console

4
00:00:14,130 --> 00:00:15,840
and launch it from there.

5
00:00:15,840 --> 00:00:21,550
If you click on the Windows Start button and just type in cert, you will

6
00:00:21,550 --> 00:00:25,270
usually find the Certification Authority management console here.

7
00:00:25,270 --> 00:00:28,420
So we're going to go ahead and open this, and then we're

8
00:00:28,420 --> 00:00:32,680
going to expand our CA and right‑click on the Certificate

9
00:00:32,680 --> 00:00:38,040
Templates folder and choose Manage.

10
00:00:38,040 --> 00:00:41,740
So here we have our certificate templates. They're stored in Active Directory.

11
00:00:41,740 --> 00:00:43,560
This may look very different in your environment.

12
00:00:43,560 --> 00:00:48,610
This is a clean brand‑new and lab environment, so there's been no changes.

13
00:00:48,610 --> 00:00:50,370
These are all the default templates.

14
00:00:50,370 --> 00:00:53,320
So the first thing we want to do to create our VPN server

15
00:00:53,320 --> 00:00:56,490
certificate is to right‑click the RAS and IAS Server

16
00:00:56,490 --> 00:01:01,640
template and choose Duplicate.

17
00:01:01,640 --> 00:01:05,800
Next, I'm going to uncheck Show resulting changes, and here I'm going to

18
00:01:05,800 --> 00:01:11,940
go and select the Server 2016 for my Certification Authority and as well

19
00:01:11,940 --> 00:01:17,480
for the Certificate recipient. Go to the General tab, and we'll give

20
00:01:17,480 --> 00:01:26,540
this certificate template a name.

21
00:01:26,540 --> 00:01:29,740
The validity period of one year is pretty much a standard industry best

22
00:01:29,740 --> 00:01:31,520
practice, so we'll go ahead and leave it at that.

23
00:01:31,520 --> 00:01:35,130
Do not check the Publish in Active Directory. That's not required to see the

24
00:01:35,130 --> 00:01:40,190
certificate in AD, just an FYI. We'll go to the Cryptography tab, and I want to

25
00:01:40,190 --> 00:01:42,460
select from the Provider Category drop‑down list.

26
00:01:42,460 --> 00:01:46,740
I want to select Key Storage Provider.

27
00:01:46,740 --> 00:01:51,570
I will also change the Request hash to SHA256, and then I'm going to

28
00:01:51,570 --> 00:01:55,990
go to the Subject Name tab. Here, I need to choose the option to

29
00:01:55,990 --> 00:02:00,070
supply in the request, and you're going to get a kind of scary warning

30
00:02:00,070 --> 00:02:03,190
here, but this is basically telling you that this is a security risk,

31
00:02:03,190 --> 00:02:06,440
and indeed it is, and we'll talk about some mitigations for that in

32
00:02:06,440 --> 00:02:07,440
just a second.

33
00:02:07,440 --> 00:02:11,570
So I'm going to click OK. And next, I'm going to choose

34
00:02:11,570 --> 00:02:15,500
Use subject information from existing certificates for

35
00:02:15,500 --> 00:02:16,940
autoenrollment renewal requests.

36
00:02:16,940 --> 00:02:20,240
Since we have to supply the subject name and the request, the administrator

37
00:02:20,240 --> 00:02:23,840
is going to have to manually request this the first time.

38
00:02:23,840 --> 00:02:27,360
So if you're using a domain join server, we can use certificate

39
00:02:27,360 --> 00:02:30,970
autoenrollment to renew this subsequently. That means we only have

40
00:02:30,970 --> 00:02:34,420
to do this manual request once, and then perpetually it will just

41
00:02:34,420 --> 00:02:36,840
renew itself every year.

42
00:02:36,840 --> 00:02:39,120
If you're using a non‑domain joined server, of course,

43
00:02:39,120 --> 00:02:41,100
you'll have to renew every year manually.

44
00:02:41,100 --> 00:02:44,420
But if you're using domain joined servers, you can leverage certificate

45
00:02:44,420 --> 00:02:48,510
autoenrollment to reduce this administrative burden.

46
00:02:48,510 --> 00:02:53,260
Next, we're going to go to the Extensions tab, and here we're going to click

47
00:02:53,260 --> 00:02:57,040
Edit and remove the Client Authentication application policy.

48
00:02:57,040 --> 00:03:02,130
It is not required for the VPN server. Then we'll click Add,

49
00:03:02,130 --> 00:03:05,890
and we need to add the IP Security IKE Intermediate

50
00:03:05,890 --> 00:03:17,940
application policy, and then click OK.

51
00:03:17,940 --> 00:03:20,740
And now we'll go to the Security tab.

52
00:03:20,740 --> 00:03:25,270
And here we're going to remove the RAS and IAS Servers group, and we'll

53
00:03:25,270 --> 00:03:38,540
add our VPN Servers group that we created previously.

54
00:03:38,540 --> 00:03:42,000
We will also grant this VPN Servers group the Read,

55
00:03:42,000 --> 00:03:46,440
Enroll, and Autoenroll permissions.

56
00:03:46,440 --> 00:03:48,460
The autoenroll permission is only necessary if your

57
00:03:48,460 --> 00:03:50,640
VPN servers are domain joined.

58
00:03:50,640 --> 00:03:53,280
Obviously, if they're not domain joined, you can't take advantage of that.

59
00:03:53,280 --> 00:03:57,350
Also, just an FYI, if you have just one or, you know,

60
00:03:57,350 --> 00:03:59,870
a couple of VPN servers in your organization,

61
00:03:59,870 --> 00:04:03,160
you can get away with assigning the computer object for the VPN

62
00:04:03,160 --> 00:04:06,110
servers right here directly as opposed to doing a group.

63
00:04:06,110 --> 00:04:08,560
I prefer to do groups because it makes it a little easier if you

64
00:04:08,560 --> 00:04:11,640
want to scale out, but that's entirely up to you.

65
00:04:11,640 --> 00:04:14,390
The next thing we'll do is we'll go to the Issuance Requirements

66
00:04:14,390 --> 00:04:18,820
tab. As I said before and as you saw the warning message as well,

67
00:04:18,820 --> 00:04:22,270
supplying the subject name in the request for a certificate is a

68
00:04:22,270 --> 00:04:24,280
potential security risk.

69
00:04:24,280 --> 00:04:28,330
And so the general recommendation is to enable the

70
00:04:28,330 --> 00:04:31,840
option for certificate manager approval.

71
00:04:31,840 --> 00:04:34,970
Now, this has two negative side effects.

72
00:04:34,970 --> 00:04:40,030
They're both challenges from an administrative standpoint is that it means

73
00:04:40,030 --> 00:04:42,840
the certificate will obviously not automatically be issued.

74
00:04:42,840 --> 00:04:46,440
That means the administrator is going to have to do some additional work

75
00:04:46,440 --> 00:04:51,870
to approve the request and also obtain the certificate once the request

76
00:04:51,870 --> 00:04:56,760
has been approved. Since this certificate only includes the server

77
00:04:56,760 --> 00:05:01,670
authentication EKU, not the client authentication EKU, it presents less

78
00:05:01,670 --> 00:05:05,500
of a risk because an attacker wouldn't be able to gain access to this

79
00:05:05,500 --> 00:05:12,160
template and supply, for example, the user principal name for a domain admin.

80
00:05:12,160 --> 00:05:13,640
So I'm going to uncheck this,

81
00:05:13,640 --> 00:05:16,290
but you may have requirements in your organization to

82
00:05:16,290 --> 00:05:19,940
have used certificate manager approval.

83
00:05:19,940 --> 00:05:29,000
So now click OK, and we'll move on to creating our NPS Server certificate template, next.