1
00:00:00,440 --> 00:00:02,230
So let's move on to enrolling for certificates.

2
00:00:02,230 --> 00:00:06,670
Now, unlike the NPS server where we use certificate auto enrollment,

3
00:00:06,670 --> 00:00:09,300
we have to manually request a couple of different

4
00:00:09,300 --> 00:00:12,790
certificates for the VPN server.

5
00:00:12,790 --> 00:00:22,640
So, the first thing I want to do is open the Local Computer Certificates store,

6
00:00:22,640 --> 00:00:25,950
and here again there's two certificates that we need to enroll for.

7
00:00:25,950 --> 00:00:29,870
One is an internal private certificate for IPsec,

8
00:00:29,870 --> 00:00:30,910
and that's for IKEv2,

9
00:00:30,910 --> 00:00:36,300
and the second one is a public TLS certificate used for SSTP.

10
00:00:36,300 --> 00:00:38,410
So let's focus on the first one first.

11
00:00:38,410 --> 00:00:42,390
Let's go to the Personal store, and you'll see there are no certificates.

12
00:00:42,390 --> 00:00:43,800
Again, that's by design.

13
00:00:43,800 --> 00:00:46,750
But I'm going to right‑click here, choose All Tasks,

14
00:00:46,750 --> 00:00:49,270
Request New Certificate, and we're going to make a

15
00:00:49,270 --> 00:00:53,160
certificate request to our PKI and get our IPsec

16
00:00:53,160 --> 00:00:57,940
certificate for IKEv2. So we'll click Next,

17
00:00:57,940 --> 00:01:03,730
select Active Directory Enrollment Policy, and choose Next. And here

18
00:01:03,730 --> 00:01:07,790
we'll select our VPN Server certificate template, and you'll see that

19
00:01:07,790 --> 00:01:12,310
there's a little warning information here or information link here that

20
00:01:12,310 --> 00:01:14,190
says, More information is required.

21
00:01:14,190 --> 00:01:18,300
If you'll recall, this was because we required the

22
00:01:18,300 --> 00:01:20,850
subject name to be supplied in the request.

23
00:01:20,850 --> 00:01:24,680
Again, that's required because the VPN clients are going to

24
00:01:24,680 --> 00:01:27,050
connect to the VPN server using a name on the public

25
00:01:27,050 --> 00:01:29,720
internet, not its server hostname.

26
00:01:29,720 --> 00:01:34,890
So we'll click More information here. And the first thing I want to do

27
00:01:34,890 --> 00:01:39,060
is in the Subject name section I want to select Common name, and I'm

28
00:01:39,060 --> 00:01:45,640
going to enter my public hostname here.

29
00:01:45,640 --> 00:01:49,580
Now, this is going to be entered a couple of more times, so my suggestion is

30
00:01:49,580 --> 00:01:55,350
just to copy this and put it on your clipboard and then click Add. And

31
00:01:55,350 --> 00:01:58,180
again, this name is the public name of the server,

32
00:01:58,180 --> 00:02:00,680
not the server's actual name, so your clients are going

33
00:02:00,680 --> 00:02:04,250
to address this server, or this group of servers

34
00:02:04,250 --> 00:02:07,640
eventually, by this particular name.

35
00:02:07,640 --> 00:02:09,770
So in the Alternative name field,

36
00:02:09,770 --> 00:02:12,600
I'm going to select DNS, and I'm going to paste that value

37
00:02:12,600 --> 00:02:15,120
because it's essentially the same name, so we'll click Add.

38
00:02:15,120 --> 00:02:19,640
We'll go to the General tab, and here for the Friendly name I

39
00:02:19,640 --> 00:02:21,220
usually just paste the same thing.

40
00:02:21,220 --> 00:02:23,250
I give it the same FQDN.

41
00:02:23,250 --> 00:02:26,180
And really, this is all that's required.

42
00:02:26,180 --> 00:02:30,020
The rest of the information here is going to be handled by the certificate

43
00:02:30,020 --> 00:02:40,660
template in AD, so we'll go ahead and click OK and click Enroll. And once

44
00:02:40,660 --> 00:02:46,230
that's done, you can click Finish, and now you should see a certificate in

45
00:02:46,230 --> 00:02:48,130
the Local Computer Certificates store.

46
00:02:48,130 --> 00:02:50,510
It's using the template, VPN Server.

47
00:02:50,510 --> 00:02:53,270
If you double‑click on this, now you'll see we have

48
00:02:53,270 --> 00:02:55,380
a private key. And by the way,

49
00:02:55,380 --> 00:02:57,770
this certificate is valid for one year because that's what

50
00:02:57,770 --> 00:02:59,850
we defined on our certificate template.

51
00:02:59,850 --> 00:03:04,530
If you're using domain‑joined servers and you're using certificate

52
00:03:04,530 --> 00:03:10,610
auto‑enrollment, if you recall, we set the policy on the template in Active

53
00:03:10,610 --> 00:03:15,290
Directory to say re‑enroll using the same subject name.

54
00:03:15,290 --> 00:03:18,520
So although we had to go through this process manually here on this

55
00:03:18,520 --> 00:03:22,690
server, next year this certificate will renew automatically,

56
00:03:22,690 --> 00:03:24,350
so I won't have to come back and touch it.

57
00:03:24,350 --> 00:03:26,940
If this is a non‑domain‑joined server,

58
00:03:26,940 --> 00:03:28,760
it becomes a little more complex because obviously we

59
00:03:28,760 --> 00:03:30,330
can't use auto‑enrollment there,

60
00:03:30,330 --> 00:03:42,000
so you will have to monitor these certificates for expiration and manually repeat this process each time.