Always On VPN Certificate Services

Brian Lynch · ‎Aug 18 2022

Hello,

we are planning a an Always On deployment for a customer. They are migrating to Azure and wish to remove DA from their environment as a first step.

They have an ADCS PKI infrastructure.

We are wanting to use a cloud based Certificate Authority to deploy their certificates. The CA integrates with Intune to allow us to deploy the Windows 10 device and user based certificates fairly easily.

It has a manual process to deploy certificates to devices that are not managed by Intune, so the on-premises servers.

If we were to install its Root Certificate as a trusted root CA on all devices. Deployed certificates to the Windows 10 devices and the users.

Then deployed certificates to the VPN and NPS servers, so all the components trusted this external CA and had certificates from it installed.

Would we be able to use this CA with Always On VPN?

The documentation implies we must use an ADCS PKI.

This would be fine if we weren't migrating to Azure. But surely as long as all the components trust the CA and the certificates are issued with the correct extensions this should work?

I'm aware of the issues with device tunnels and Public CA certificates.

Thanks and regards

Richard_Hicks · ‎Aug 20 2022

Hi Brian,

There is no explicit requirement to use Microsoft Active Directory Certificate Services (AD CS). You can use any certification authority you wish. :)

Brian Lynch · ‎Aug 22 2022

Thanks again Richard.
The Microsoft AOVPN documentation doesn't really allude to using another CA.

Always On VPN Certificate Services

Always On VPN Certificate Services

Re: Always On VPN Certificate Services

Re: Always On VPN Certificate Services

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Always On VPN Certificate Services

Always On VPN Certificate Services

Re: Always On VPN Certificate Services

Re: Always On VPN Certificate Services