Created: 8/10/20

Updated: 8/10/20

IPSEC  Transport-Mode & SSL VPN Notes:

1. Make sure you place a root intermediate certificate in the certsrv’s trusted intermediate certificate folder
2. Make sure you place the computer certificate in the Personal/certificates folder or via GPO Push
3. Don’t forget to assign security permissions to certificate templates before issuing them, i.e (Read, Deploy, Auto-deploy)
4. Make sure your Validation period is long enough and your re-issuing period is long enough to re-issue
5. 2048 is no longer strong enough, use 4096
6. To make a Certificate Signing Request (CSR) use IIS on your CA server to create a request file. You do this by opening IIS > click on server name > glancing right  and clicking ‘Server Certificates’ then glace right again and click request certificate. Go thru the prompts and then copy the contents of the request file
7. (CSR Cont.) – then open up https://CA’s IP/certcsrv/ request a certificate, go to advanced, and click on web server and copy request file contents, then submit. Download/save the file. This is your CSR certificate for signing.
8. http]s://doc]s.microsoft.c]om/en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2