Melbourne, Australia
To be provided
Use Contact to message

Always On VPN – Enroll Certificates

Harmik Batth Tech's Blog

Always On VPN – Enroll Certificates

Because you’re using
Group Policy to autoenroll user certificates, you need only update the policy,
and Windows 10 will automatically enroll the user account for the correct
certificate. You can then validate the certificate in the Certificates console.

To enroll and validate
the user certificate

  1. Sign in to a domain-joined client computer as
    a member of the VPN Users group.
  2. Press Windows key + R, type gpupdate /force, and press Enter.
  3. On the Start menu, type certmgr.msc, and press Enter.
  4. In the Certificates snap-in, under Personal, click Certificates. Your certificates appear in the details
    pane.
  5. Right-click the certificate that has your
    current domain user name, and click Open.
  6. On the General tab,
    confirm that the date listed under Valid from is
    today’s date. If it isn’t, you might have selected the wrong certificate.
  7. Click OK, and close the
    Certificates snap-in.

Unlike the user
certificate, you must manually enroll the VPN server’s certificate. After you’ve
enrolled it, validate it by using the same process you used for the user
certificate. Like the user certificate, the NPS server will automatically
enroll its authentication certificate, so all you need to do is validate it.

Note

You might need to restart the VPN and NPS
servers to allow them to update their group memberships before you can complete
these steps.

To enroll and validate
the VPN server certificate

  1. On the VPN server’s Start menu, type certlm.msc, and press Enter.
  2. Right-click Personal, click All Tasks and click Request New Certificate to start the Certificate Enrollment Wizard.
  3. On the Before You Begin page, click Next.
  4. On the Select Certificate Enrollment Policy page, click Next.
  5. On the Request Certificates page, select the VPN Server Authentication check box.
  6. Under the VPN Server Authentication check box, click More information is required to open the Certificate Properties dialog box and complete the following steps:
    1. Under the Subject name, in Type, click Common Name.
    1. Under the Subject name, in Value, type the name of the external domain clients will use to connect to the VPN (e.g., remote.futurefund.gov.au), and click Add.
    1. Under Alternative Name, in Type, click DNS.
    1. Under Alternative Name, in Value, type the name of the external domain clients will use to connect to the VPN (e.g., remote.futurefund.gov.au), and click Add.
    1. Click OK.
  7. Enroll.
  8. Finish.
  9. Personal, click Certificates. Your certificates are listed in the details pane.
  10. Open.
  11. General tab, confirm that the date listed under Valid from is today’s date. If it isn’t, you might have selected the incorrect certificate.
  12. Details tab, click Enhanced Key Usage and verify that IP security IKE intermediate and Server Authentication is listed.
  13. OK to close the certificate.

To validate the NPS
server certificate

  1. Restart the NPS server.
  2. On the NPS server’s Start menu, type certlm.msc, and press Enter.
  3. In the Certificates snap-in, under Personal, click Certificates. Your certificates are listed in the details
    pane.
  4. Right-click the certificate that has your NPS
    server’s name, and click Open.
  5. On the General tab,
    confirm that the date listed under Valid from is
    today’s date. If it isn’t, you might have selected the incorrect certificate.
  6. Click OK to close the
    certificate.
  7. Close the Certificates snap-in.

No Comments

Add your comment