Appendix A: Computer Certificates for VPN Connections

Applies To: Windows Server 2008, Windows Server 2008 R2

Windows Server 2008 R2 and Windows Server 2008 support two authentication methods for VPN connections using Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPsec): computer certificates and preshared keys. We recommend that you do not use preshared keys. RRAS on these versions of Windows also supports Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) which use certificate-based authentication only.

In order to create an L2TP/IPsec, SSTP, or IKEv2 connection using the computer certificate authentication method, you must install a certificate in the local computer certificate store on the VPN client and VPN server computer. To install a computer certificate, a certification authority (CA) must be present to issue certificates. After the CA is configured, you can install a certificate in three different ways:

  • Recommended. By configuring the automatic enrollment of computer certificates to computers in an Active Directory Domain Services (AD DS) domain. Non-domain member computers cannot obtain certificates by using automatic enrollment.

  • By using the Certificates MMC snap-in to obtain a computer certificate.

  • By using your web browser to connect to the CA Web enrollment page to install a certificate on the local computer.

Based on the certificate policies in your organization, you need to perform only one of these methods.

To configure a CA and install the computer certificate, perform the following steps:

  1. If you do not already have an enterprise root CA:

    1. Promote the computer that you want to be a CA to a domain controller, if necessary.

    2. Install Active Directory Certificate Services as an enterprise root CA on a computer running Windows Server 2008 R2 or Windows Server 2008. The instructions for installing and configuring a CA are beyond the scope of this document. For more information, see Active Directory Certificate Services.

  2. To auto-enroll computer certificates, configure an AD DS domain. For more information, see Configure Automatic Certificate Allocation from an Enterprise CA in the RRAS Deployment Guide.

    Once that is completed, you can request and install a computer certificate for the VPN server that is a member of the domain for which automatic enrollment is configured (as well as other computers that are members of the domain). To do so, restart the computer or type gpupdate /target:computer at an Administrator command prompt.

  3. To manually enroll computer certificates, use the Certificates MMC snap-in to install the CA root certificate. For more information, see Active Directory Certificate Services.

Additional references