Aug 18 2022 06:30 PM
Hello,
we are planning a an Always On deployment for a customer. They are migrating to Azure and wish to remove DA from their environment as a first step.
They have an ADCS PKI infrastructure.
We are wanting to use a cloud based Certificate Authority to deploy their certificates. The CA integrates with Intune to allow us to deploy the Windows 10 device and user based certificates fairly easily.
It has a manual process to deploy certificates to devices that are not managed by Intune, so the on-premises servers.
If we were to install its Root Certificate as a trusted root CA on all devices. Deployed certificates to the Windows 10 devices and the users.
Then deployed certificates to the VPN and NPS servers, so all the components trusted this external CA and had certificates from it installed.
Would we be able to use this CA with Always On VPN?
The documentation implies we must use an ADCS PKI.
This would be fine if we weren't migrating to Azure. But surely as long as all the components trust the CA and the certificates are issued with the correct extensions this should work?
I'm aware of the issues with device tunnels and Public CA certificates.
Thanks and regards
Aug 20 2022 08:35 AM
Hi Brian,
There is no explicit requirement to use Microsoft Active Directory Certificate Services (AD CS). You can use any certification authority you wish. 🙂
Aug 22 2022 03:39 PM