Always on VPN Certificate Authority Configuration

Copper Contributor

Hey All,

I'm relatively new here and figured I'd reach out to the community for some guidance on a project that I am working on. I am looking at the possibilty of implemeting and supporting an always on vpn configuration in my infrastructure. I've seen various articles out there suggesting that I need to setup and configure a certificate authority and leverage it for use within this environment. All of the articles I've read speak to starting from scratch and nothing I've found speaks to leveraging an existing ca or what modifications need to be made to the server to allow for uninterupted use of the existing server and at the same time leverage that same server for AOVPN.


So my question is this, can I use my existing root ca?......I currently leverage this server to apply certicates to internal servers ( and for wireless authentication. If i can use this server do i need to make any configuration changes or include a subordinate ca into the infrastructure? Finally and on a completely separate note in implementing this I would like to leverage conditional access, with that does the endpoint (or server) need to be hybrid ad joined?.....or is that something I don't need to be concerned about?

1 Reply
I did this about a year ago. You can use your existing Certificate Setup. Generally we just had to confirm Devices and Users are getting certs. As the two tunnels authenticate with them. I wouldn't re-invent PKI. I would use a new NPS and RAS server for it though, keep it simple. I didn't configure conditional access, just allowed access if computer and user are in domain groups.

I recommend Googling "Richard Hicks". He has a lot of good articles on it that help supplement the Microsoft ones.