RRAS: Only one certificate for IKEv2 should have IKE_INTERMEDIATE in its EKU property

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Storage Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2

Product/Feature

Routing and Remote Access Service (RRAS)

Severity

Warning

Category

Configuration

Issue

There are one or more valid certificates for IKEv2 and either (a) none of them has IKE_INTERMEDIATE in the EKU property, or (b) there are multiple valid certificates for IKEv2 and more than one has IKE_INTERMEDIATE in the EKU property.

Impact

If there are one or more valid certificates, and none or more than one has IKE_INTERMEDIATE in the EKU property, then RRAS does not know which certificate to use, and selects one at random. The selected certificate might not be the one intended for use.

Windows uses the IKE Intermediate EKU to select the certificate for IKEv2 from among the several certificates that might be installed. Although you might have several certificates configured with Server Authentication EKU, only one should also have the IKE Intermediate EKU.

Resolution

Perform one of the following steps:

  • If there are no certificates with IKE_INTERMEDIATE then issue a certificate for IKEv2 with IKE_INTERMEDIATE in the EKU property.

  • If there is more than one certificate with IKE_INTERMEDIATE, then delete all but the 1 certificate that you want to use.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To view the certificates in the local computer store

  1. Start the Microsoft Management Console. Click Start, type MMC, and then press ENTER.

  2. Click File and then click Add/Remove Snap-in.

  3. In the Available snap-ins list, select Certificates and then click Add.

  4. Select Computer account, and then click Next.

  5. Select Local computer, click Finish, and then click OK.

  6. Expand Certificates (Local Computer), expand Personal, and then expand Certificates

  7. Double-click a certificate to see the details.

  8. On the Details tab, select Enhanced Key Usage to see in the box below the currently assigned purposes.

  9. Click OK to close the dialog box.

To delete a certificates from the local computer store

  1. Find the certificate that you want to delete by using the steps in the previous procedure “To view the certificates in the local computer store.

  2. Right-click the certificate, and then click Delete.

  3. In the confirmation dialog box, click Yes.

Additional references

For more information about IKEv2 deployment, see Step-by-Step Guide: Deploy Remote Access with VPN Reconnect in a Test Lab (https://go.microsoft.com/fwlink/?linkid=143464).

For more about creating certificates by using the Active Directory Certificate Services server role, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?linkid=136444) in the Windows Server Technical Library.

For more about the Routing and Remote Access role service, see Routing and Remote Access (https://go.microsoft.com/fwlink/?linkid=153482) on TechNet, and Routing and Remote Access Service in the Windows Server Technical Library.