IPSEC Transport-Mode & SSL VPN Notes:
- Make sure you place a root intermediate certificate in the certsrv’s trusted intermediate certificate folder
- Make sure you place the computer certificate in the Personal/certificates folder or via GPO Push
- Don’t forget to assign security permissions to certificate templates before issuing them, i.e (Read, Deploy, Auto-deploy)
- Make sure your Validation period is long enough and your re-issuing period is long enough to re-issue
- 2048 is no longer strong enough, use 4096
- To make a Certificate Signing Request (CSR) use IIS on your CA server to create a request file. You do this by opening IIS > click on server name > glancing right and clicking ‘Server Certificates’ then glace right again and click request certificate. Go thru the prompts and then copy the contents of the request file
- (CSR Cont.) – then open up https://CA’s IP/certcsrv/ request a certificate, go to advanced, and click on web server and copy request file contents, then submit. Download/save the file. This is your CSR certificate for signing.