Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Always On VPN Certificate Services

Copper Contributor


 we are planning a an Always On deployment for a customer. They are migrating to Azure and wish to remove DA from their environment as a first step. 

 They have an ADCS PKI infrastructure. 

 We are wanting to use a cloud based Certificate Authority to deploy their certificates. The CA integrates with Intune to allow us to deploy the Windows 10 device and user based certificates fairly easily.

It has a manual process to deploy certificates to devices that are not managed by Intune, so the on-premises servers. 

 If we were to install its Root Certificate as a trusted root CA on all devices. Deployed certificates to the Windows 10 devices and the users.

Then deployed certificates to the VPN and NPS servers, so all the components trusted this external CA and had certificates from it installed.

Would we be able to use this CA with Always On VPN?

 The documentation implies we must use an ADCS PKI. 

 This would be fine if we weren't migrating to Azure. But surely as long as all the components trust the CA and the certificates are issued with the correct extensions this should work?

 I'm aware of the issues with device tunnels and  Public CA certificates. 


Thanks and regards


2 Replies

Hi Brian,


There is no explicit requirement to use Microsoft Active Directory Certificate Services (AD CS). You can use any certification authority you wish. :)

Thanks again Richard.
The Microsoft AOVPN documentation doesn't really allude to using another CA.