Install Certificates for VPN Connections
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
A certificate infrastructure is a requirement for VPN connections based on Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPsec), Secure Socket Tunneling Protocol (SSTP), or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). Certificates provide stronger authentication security than password-based authentication does.
To provide a certificate infrastructure for a VPN client that makes L2TP/IPsec or SSTP connections:
Install a certificate in the Local Computer certificate store on the VPN server.
Install a user certificate in the Current User certificate store of each client.
To provide a certificate infrastructure for user-level authentication with EAP-TLS:
Install a certificate on the authenticating server for the VPN server.
If you are not using smart cards, install a registry-based user certificate on each client.
If you are using smart cards, install a certificate on each smart card distributed to a VPN client user.
Before you can install a certificate, a certification authority (CA) must be present and reachable. For a computer in a Windows Server 2008 domain, you can use auto-enrollment or the Certificates snap-in to install a certificate. Alternatively, you can install a certificate by using a Web browser to connect the VPN client to the CA Web enrollment agent.
For more information, see Appendix A: Computer Certificates for VPN Connections in the Routing and Remote Access Design Guide.