How to renew/restore expired IKEv2 VPN certificate when not in the office

Adam Lacey 1 Reputation point
2021-06-05T16:31:41.277+00:00

Hi, I am new to VPNs and currently have an issue where our IKEv2 VPN has stopped working for everyone. We have not been back in the office since the start of Lockdown (March 2020) but we have been connecting to the VPN daily. From what I believe I have discovered, the VPN certificate on the Secondary DC (The subordinate CA) , which is where the IKEv2 VPN is running from, has expired. This is in everyone's "Local Computers\Personal\Certificates\". Luckily we have an old SSTP VPN still active so I am able to remote on to the Secondary DC. This is what I have tried so far and hope I haven't made things harder:
As the vpn certificate had expired in the subordinate CA:

  1. I went to renew the VPN cert and it only renewed it until the following day, I believe that meant I had to renew the CA Root Certificate, which updated on the subordinate CA and it changed to November this year (as that's what the primary Root CA is, I believe)
  2. This allowed me to update the VPN Certificate until November also.
  3. Doing this I believed changed the keys for the certificate which I don't know if that means you have to physically be in the office for GP you give your laptop those keys or if we are able to somehow get them using the old Office VPN still. I tried manually exporting the cert and importing it on my laptop but no joy. I have an old export of the old expired VPN cert if needed, but not of the updated root cert.

Basically, what is the best way to get everyone's IKEv2 VPN to connect again, which I'm pretty sure is this expired certificate issue. I've tried using the old VPN and doing a GPUPDATE /FORCE, but my laptop seems to have issues using the old VPN and drops connection now and then and not 100% if that's not updating my computer to have the new certs, so I manually exported the new VPN cert off the server and imported it on my laptop, but this is still not connecting, I have noticed though a cert in my Intermediate Certification Authorities still with the expiry day of when the VPN cert expired.

Does anyone have any recommendations, please?

Many thanks in advance.

Windows for business | Windows Server | User experience | Other
{count} votes

9 answers

Sort by: Most helpful
  1. Gary Nebbett 6,216 Reputation points
    2021-06-06T11:22:46.867+00:00

    Hello @Adam Lacey ,

    Has your "root" certificate expired? Root certificates often have a validity period of 20 years and it is often recommended to introduce an additional new root certificate after about half the validity period has elapsed (to smooth the hand-over) - so it would be an unpleasant surprise to suddenly discover that your sole root certificate has expired.

    If the root certificate has not expired, then there may be no need to distribute anything to the client PCs (this will depend on the authentication mechanism being used). If the authentication mechanism does not require a client certificate (e.g. EAP-MSCHAPv2) then the clients need no update - they will still trust the root certificate and all other certificate information is available in the IKEv2 protocol exchanges.

    If client certificates are needed for the authentication mechanism and these certificates have expired, then the clients will need to re-enroll.

    Gary

    0 comments No comments

  2. Anonymous
    2021-06-07T03:12:42.303+00:00

    Hello @Adam Lacey ,

    Thank you for posting here.

    Based on the description "As the vpn certificate had expired in the subordinate CA":

    1.Please confirm is the expired vpn certificate issued by the subordinate CA?

    If the expired vpn certificate is issued by the subordinate CA, please check the validity period of root CA certificate and validity period of the subordinate CA, make sure that the two certificates (root CA cert and sub CA cert) have not expired, then re-enroll this vpn certificate.

    Tip 1:
    Because if the certificates issued by sub CA (root CA)are expired, we cannot renew expired certificates, we should enroll these certificates again if need.

    If root CA cert and/or sub CA cert has expired, we should renew root CA cert and/or sub CA cert, then enroll VPN certificate again.

    2.Or is the expired vpn certificate also the subordinate CA?

    If the expired vpn certificate is also the subordinate CA, please renew subordinate CA.

    Tip 2:
    The issued certificate validity period depends upon least value of below.

    a)The expiry date of issuing CA certificate
    b)The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and
    Enterprise CA. For Enterprise CA, the default registry setting is two years.
    For Stand-alone CA, the default registry setting is one year
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits
    c)The template validity period in case of Enterprise (AD integrated) CA

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  3. Adam Lacey 1 Reputation point
    2021-06-14T11:20:15.133+00:00

    Hi, apologies I had no notification of these reply apart from 1 notification from Daisy on Friday asking on the current situation.

    Unfortunately I'm no further forward and not entirely confident with if it's set up correctly at all. My setup is (Viewing with MMC on Server2):

    SVR01 (SBS 2011, has everything SBS like AD etc. has we want to decommission eventually but not got around to doing it): - Old VPN (Authentication Methods: EAP-MSCHAP v2, PEAP - SSTP, which we can still access if required, tested and works still) - Holds the Templates - Certificate Authority: 105382-image.png - SVR01 Certificates (I'm sure I deleted the 2017 expired one before): 105412-image.png

    Server2 (Windows 2019, has AD and IKEv2 VPN): - VPN (Authentication Methods: EAP, MS-CHAP v2 and IKEv2). It has the VPN SSL Binding in the Personal Store that's in the bottom screenshot 'IKEv2VPN'. - Certificate Authority: 105411-image.png - Server2 Certificates: 105315-image.png

    I hope this is ok and REALLY appreciate it.

    Kind regards Adam


  4. Anonymous
    2021-06-18T08:04:36.67+00:00

    Hello @Adam Lacey ,

    Thank you for your reply.

    Could you import the new VPN certificate to your laptop manually?

    Logon your laptop and open certlm.msc (if it is a machine VPN certificate, I mean this cert is issued to your machine) and import this VPN cert.
    106898-ma.png

    Logon your laptop and open certmgr.msc (if it is a user VPN certificate, I mean this cert is issued to your account) and import this VPN cert.
    106877-use.png

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  5. Adam Lacey 1 Reputation point
    2021-06-18T08:59:17.627+00:00

    Thanks @Anonymous , I really appreciate your assistance,

    On Server2 I Exported "Local Computer" > "personal" > "Certificate" > "VPNCERT" as a .PFX (Yes to Private Key > Added the Extra Check for "Export all extended properties", in addition to the already checked "Include all Certificates in the Certification path if possible" and "Enable certificate privacy")

    Imported as you showed to my laptops "Local Computer" > "personal" > "Certificate" and it wont connect still as per:

    106995-image.png

    The Cert on my local computer has the has the same thumbprint as the cert in the RAS "SSL Certificate Binging" for the VPN connection

    What could not be matching?

    Kind regards
    Adam

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.