1
00:00:02,240 --> 00:00:06,130
So the user certificate requires a little extra attention to detail.

2
00:00:06,130 --> 00:00:07,640
We'll talk about that.

3
00:00:07,640 --> 00:00:10,900
The VPN user certificate is quite obviously a user certificate.

4
00:00:10,900 --> 00:00:14,130
It's stored in the user's certificate store on the endpoint.

5
00:00:14,130 --> 00:00:19,500
The only required EKU for user certificates is client authentication.

6
00:00:19,500 --> 00:00:24,830
You will commonly see S/MIME or secure email, an encrypted file

7
00:00:24,830 --> 00:00:27,300
system, and some other EKUs that are included.

8
00:00:27,300 --> 00:00:29,500
And that's fine if you want to use that certificate for those

9
00:00:29,500 --> 00:00:33,100
other things, but the minimum requirement to support VPN user

10
00:00:33,100 --> 00:00:36,340
authentication is client authentication.

11
00:00:36,340 --> 00:00:40,390
The subject name of the certificate is the user's common name.

12
00:00:40,390 --> 00:00:43,780
But importantly, the alternative name needs to be populated

13
00:00:43,780 --> 00:00:45,730
with the UPN, the User Principal Name.

14
00:00:45,730 --> 00:00:49,800
That's what we're actually going to use to authenticate to Active Directory.

15
00:00:49,800 --> 00:00:53,100
It's also essential to enroll this certificate to a

16
00:00:53,100 --> 00:00:56,300
TPM exclusively whenever possible.

17
00:00:56,300 --> 00:01:00,300
And the reason for that is the TPM affords us a great deal of

18
00:01:00,300 --> 00:01:03,900
security for a certificate that's pretty important.

19
00:01:03,900 --> 00:01:06,060
If an attacker were to compromise this certificate,

20
00:01:06,060 --> 00:01:09,520
they could access our network without even knowing the user's passwords.

21
00:01:09,520 --> 00:01:12,890
So we want to ensure that this certificate is well protected,

22
00:01:12,890 --> 00:01:20,440
especially on mobile devices or portable platforms like laptops and tablets.

23
00:01:20,440 --> 00:01:21,930
A TPM, if you're not familiar with it,

24
00:01:21,930 --> 00:01:26,500
is actually baked into or built into the system board on laptops

25
00:01:26,500 --> 00:01:31,760
and tablets, and it is a dedicated crypto processor that has many

26
00:01:31,760 --> 00:01:36,220
capabilities that allow it to protect at a very high level the

27
00:01:36,220 --> 00:01:38,170
private key of the certificate,

28
00:01:38,170 --> 00:01:41,650
which is really the important part. It ensures that an attacker

29
00:01:41,650 --> 00:01:46,040
cannot easily gain access to that, and I say not easily because

30
00:01:46,040 --> 00:01:48,020
it is prohibitively difficult.

31
00:01:48,020 --> 00:01:49,510
Nation‑state attackers,

32
00:01:49,510 --> 00:01:53,020
perhaps NSA and those types of things, governments,

33
00:01:53,020 --> 00:01:56,540
may have some way to get to this,

34
00:01:56,540 --> 00:01:58,910
but the vast majority of attackers are not going to be

35
00:01:58,910 --> 00:02:00,650
able to get to this certificate.

36
00:02:00,650 --> 00:02:04,040
So storing it on a TPM is critical.

37
00:02:04,040 --> 00:02:12,000
So let's see how we create this user certificate template tied to a TPM using Active Directory.