Forum Discussion

BrianLynch58's avatar
BrianLynch58
Copper Contributor
Aug 19, 2022

Always On VPN Certificate Services

Hello,

 we are planning a an Always On deployment for a customer. They are migrating to Azure and wish to remove DA from their environment as a first step. 

 They have an ADCS PKI infrastructure. 

 We are wanting to use a cloud based Certificate Authority to deploy their certificates. The CA integrates with Intune to allow us to deploy the Windows 10 device and user based certificates fairly easily.

It has a manual process to deploy certificates to devices that are not managed by Intune, so the on-premises servers. 

 If we were to install its Root Certificate as a trusted root CA on all devices. Deployed certificates to the Windows 10 devices and the users.

Then deployed certificates to the VPN and NPS servers, so all the components trusted this external CA and had certificates from it installed.

Would we be able to use this CA with Always On VPN?

 The documentation implies we must use an ADCS PKI. 

 This would be fine if we weren't migrating to Azure. But surely as long as all the components trust the CA and the certificates are issued with the correct extensions this should work?

 I'm aware of the issues with device tunnels and  Public CA certificates. 

 

Thanks and regards

 

  • Richard_Hicks's avatar
    Richard_Hicks
    Copper Contributor

    Hi Brian,

     

    There is no explicit requirement to use Microsoft Active Directory Certificate Services (AD CS). You can use any certification authority you wish. 🙂

    • BrianLynch58's avatar
      BrianLynch58
      Copper Contributor
      Thanks again Richard.
      The Microsoft AOVPN documentation doesn't really allude to using another CA.