1
00:00:02,040 --> 00:00:05,280
So now that we have our IPsec certificate for IKEv2,

2
00:00:05,280 --> 00:00:10,290
let's move on to the certificate request for our public TLS certificate.

3
00:00:10,290 --> 00:00:12,250
This is going to be a little bit different because we're going to

4
00:00:12,250 --> 00:00:15,810
actually prepare the request as an offline request.

5
00:00:15,810 --> 00:00:19,940
So we're going to generate a CSR, or certificate signing request,

6
00:00:19,940 --> 00:00:24,620
which is a file that contains the public key and some additional information,

7
00:00:24,620 --> 00:00:27,500
and we're going to send that to our public CA.

8
00:00:27,500 --> 00:00:31,380
I will use DigiCert because that's my public CA of choice.

9
00:00:31,380 --> 00:00:34,420
You can use any public CA you wish.

10
00:00:34,420 --> 00:00:36,430
Fundamentally the process is the same.

11
00:00:36,430 --> 00:00:40,100
The certificate signing request is sent to the public CA,

12
00:00:40,100 --> 00:00:41,560
they'll sign it, and return it,

13
00:00:41,560 --> 00:00:44,940
and then you'll pair that up with your private key,

14
00:00:44,940 --> 00:00:48,030
and then it will be available on this specific server.

15
00:00:48,030 --> 00:00:50,250
So let's go ahead and right‑click anywhere,

16
00:00:50,250 --> 00:00:53,740
again, in the white space here and choose All Tasks,

17
00:00:53,740 --> 00:00:59,040
Advanced Operations, Create Custom Request.

18
00:00:59,040 --> 00:01:01,040
So we'll choose Next,

19
00:01:01,040 --> 00:01:07,040
and here we want to select Proceed without enrollment policy and choose Next.

20
00:01:07,040 --> 00:01:09,290
All of the defaults here are just fine.

21
00:01:09,290 --> 00:01:10,460
We're going to use CNG key.

22
00:01:10,460 --> 00:01:13,220
We'll use PKCS #10 as the request format.

23
00:01:13,220 --> 00:01:15,440
So we'll choose Next.

24
00:01:15,440 --> 00:01:16,440
And here,

25
00:01:16,440 --> 00:01:18,920
we need to select the little arrow here next to

26
00:01:18,920 --> 00:01:21,100
Details and then click Properties.

27
00:01:21,100 --> 00:01:23,620
And this is where we're going to provide all of the

28
00:01:23,620 --> 00:01:26,540
essential information for this request.

29
00:01:26,540 --> 00:01:30,650
So, in this case, the Friendly name, I'm just going to use the same name,

30
00:01:30,650 --> 00:01:33,840
and then we'll click on Subject name.

31
00:01:33,840 --> 00:01:36,110
And once again, in the Subject name field,

32
00:01:36,110 --> 00:01:41,660
we'll choose Common name and put our public FQDN in there and choose Add.

33
00:01:41,660 --> 00:01:44,940
Same thing here, we're going to choose DNS,

34
00:01:44,940 --> 00:01:48,840
paste our public name, and click Add again.

35
00:01:48,840 --> 00:01:52,030
And now we're going to go to the Extensions tab,

36
00:01:52,030 --> 00:01:56,220
and there's a couple of different things that we need to address here.

37
00:01:56,220 --> 00:01:59,630
Specifically, let's expand the Enhanced Key Usage section,

38
00:01:59,630 --> 00:02:03,610
and here we want to choose Server Authentication and click Add.

39
00:02:03,610 --> 00:02:06,340
That's the only EKU that we need.

40
00:02:06,340 --> 00:02:10,440
And then next we want to go to the Private Key tab,

41
00:02:10,440 --> 00:02:14,810
and the CSP here, by default, is RSA.

42
00:02:14,810 --> 00:02:16,800
Now, this will of course work,

43
00:02:16,800 --> 00:02:21,290
but the recommendation is to use a certificate using EC,

44
00:02:21,290 --> 00:02:23,130
or elliptic curve.

45
00:02:23,130 --> 00:02:25,850
So I'm going to uncheck RSA,

46
00:02:25,850 --> 00:02:31,360
but if you're using a public CA that doesn't support EC certificates,

47
00:02:31,360 --> 00:02:33,470
you could just simply leave this as RSA.

48
00:02:33,470 --> 00:02:34,860
But I'm going to uncheck this,

49
00:02:34,860 --> 00:02:38,450
and I'm going to scroll down almost all the way to the bottom here,

50
00:02:38,450 --> 00:02:47,240
and I'm looking for ECDSA_P256,Microsoft Software Key Storage Provider,

51
00:02:47,240 --> 00:02:49,710
that's the CSP that I want to use.

52
00:02:49,710 --> 00:02:54,520
This is the CSP that you'll use for security best practices.

53
00:02:54,520 --> 00:02:58,120
So there's a variety of reasons why you would want to use EC certificates.

54
00:02:58,120 --> 00:03:02,100
They provide better security, better performance with smaller key sizes,

55
00:03:02,100 --> 00:03:04,840
the key is only 256‑bits,

56
00:03:04,840 --> 00:03:10,970
but it provides the equivalent protection of a 3072‑bit RSA key.

57
00:03:10,970 --> 00:03:14,850
So much better protection than RSA with much smaller key sizes,

58
00:03:14,850 --> 00:03:17,240
which is a huge win.

59
00:03:17,240 --> 00:03:20,140
The next thing we'll need to do is go to our Key options.

60
00:03:20,140 --> 00:03:23,560
And if you're building just a single server,

61
00:03:23,560 --> 00:03:26,250
you might not want to check this option,

62
00:03:26,250 --> 00:03:30,630
which is to mark the key as exportable; however,

63
00:03:30,630 --> 00:03:34,220
it may not be a bad idea because if you do this,

64
00:03:34,220 --> 00:03:35,760
even with a single server deployment,

65
00:03:35,760 --> 00:03:39,180
you can then export the certificate along with its

66
00:03:39,180 --> 00:03:42,110
private key and archive that somewhere, safely,

67
00:03:42,110 --> 00:03:43,690
not on a file share.

68
00:03:43,690 --> 00:03:48,050
Hopefully on a secure USB drive, encrypted.

69
00:03:48,050 --> 00:03:52,770
If you have something in the enterprise to store secrets,

70
00:03:52,770 --> 00:03:54,800
then that's a good place to do that as well.

71
00:03:54,800 --> 00:03:56,660
And that way, if you need to rebuild the server,

72
00:03:56,660 --> 00:03:58,650
you don't have to go through this whole process again.

73
00:03:58,650 --> 00:04:00,150
If the certificate's still valid,

74
00:04:00,150 --> 00:04:02,940
you could just grab the certificate and private key and import it.

75
00:04:02,940 --> 00:04:05,010
So I'm going to make it exportable.

76
00:04:05,010 --> 00:04:07,680
You might want to make it exportable as well if you have

77
00:04:07,680 --> 00:04:11,250
multiple servers because then you can do one CSR,

78
00:04:11,250 --> 00:04:13,880
one certificate request, get the certificate back,

79
00:04:13,880 --> 00:04:18,340
and then just put that certificate on all of your VPN servers.

80
00:04:18,340 --> 00:04:24,750
So then click OK, and then click Next, and it's going to ask you the format,

81
00:04:24,750 --> 00:04:27,800
specifically is Base 64, that's the best format to use.

82
00:04:27,800 --> 00:04:30,940
Binary is probably not going to be accepted by many public CAs.

83
00:04:30,940 --> 00:04:35,840
So we use Base 64, and then we need to provide a file name.

84
00:04:35,840 --> 00:04:39,040
So I'm just going to put this on the desktop,

85
00:04:39,040 --> 00:04:46,640
and we'll just call this our vpn_cert_request.

86
00:04:46,640 --> 00:04:52,040
So we'll click finish, and let's go take a look at it on the desktop.

87
00:04:52,040 --> 00:04:58,540
So again, this is just a text file, and if we were to open it,

88
00:04:58,540 --> 00:05:01,400
you'll see that it just has some text here.

89
00:05:01,400 --> 00:05:03,070
Not really meaningful to us.

90
00:05:03,070 --> 00:05:06,060
But if you want to make sure that everything was configured correctly,

91
00:05:06,060 --> 00:05:09,760
there is a way to actually look at it and see human‑readable output.

92
00:05:09,760 --> 00:05:17,940
So to do that, let's open an elevated PowerShell or command window,

93
00:05:17,940 --> 00:05:21,090
navigate to the folder where that certificate is stored,

94
00:05:21,090 --> 00:05:23,240
in this case it's the Desktop,

95
00:05:23,240 --> 00:05:28,070
and then just type in certutil and the name of the file.

96
00:05:28,070 --> 00:05:32,440
And there you go.

97
00:05:32,440 --> 00:05:35,440
You'll see all of your information that you input along with

98
00:05:35,440 --> 00:05:38,230
the details about the certificate and the key length and the

99
00:05:38,230 --> 00:05:39,810
key type and all that good stuff,

100
00:05:39,810 --> 00:05:41,830
but if you want to review this before you submit it,

101
00:05:41,830 --> 00:05:43,070
you can certainly do that.

102
00:05:43,070 --> 00:05:44,610
So once that's done,

103
00:05:44,610 --> 00:05:49,420
you'll take this certificate request file and submit that to your public CA,

104
00:05:49,420 --> 00:05:51,680
and I'm obviously going to do that off‑screen because it's

105
00:05:51,680 --> 00:05:53,780
going to be different for every public CA,

106
00:05:53,780 --> 00:05:55,210
but at the end of the day,

107
00:05:55,210 --> 00:05:59,130
you'll get a certificate back along with probably some

108
00:05:59,130 --> 00:06:00,760
issuing or intermediate certificates,

109
00:06:00,760 --> 00:06:06,000
and we'll go through the process of importing those, next.