3. Deploy the Certificates
Deploy User, Computer and NPS certificates
- Logon to a Domain Controller
- Open Group policy management
- Create new group policy object named AOVPN Enable Certificate Auto-enrollment and edit the policy
- Navigate Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment
- Set configuration model to Enabled
- Check Renew expired certificates and Update certificates
- Navigate User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment
- Set configuration model to Enabled
- Check Renew expired certificates and Update certificates
- Close Group policy editor
- Under Security Filtering limit the policy to apply to AOVPN Users and AOVPN Computers
- Link the group policy to the OU's containing computer and user objects
- clientname.co.uk > Test_NoGP > Users
- clientname.co.uk > Test_NoGP > Computers
Deploy VPN Certificates
- Logon to your VPN server
- Save the following file as vpngateway.inf
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=alwaysonvpn.clientname.com"
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=alwaysonvpn.clientname.com&"
- Open CMD as administrator and issue the following commands:
certreq -new vpngateway.inf vpngateway.req - Copy across to the PKI server
- Open CMD as administrator and issue the following commands:
- certreq -attrib "CertificateTemplate:ClientnameVPNServerAuthentication" -submit VPNGateway.req VPNGateway.cer
- Copy the vpngateway.cer file back to the VPN server
- Open CMD as administrator and issue the following commands:
- certreq -accept vpngateway.cer
- Import the ROOT CA and Internal Issuing CA1 certificates to the Trusted Root Certificate store and Intermediate Certificate store