Install Certificates for VPN Connections

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

A certificate infrastructure is a requirement for VPN connections based on Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPsec), Secure Socket Tunneling Protocol (SSTP), or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). Certificates provide stronger authentication security than password-based authentication does.

To provide a certificate infrastructure for a VPN client that makes L2TP/IPsec or SSTP connections:

1. Install a certificate in the Local Computer certificate store on the VPN server.

2. Install a user certificate in the Current User certificate store of each client.

To provide a certificate infrastructure for user-level authentication with EAP-TLS:

1. Install a certificate on the authenticating server for the VPN server.

2. If you are not using smart cards, install a registry-based user certificate on each client.

   -Or-

   If you are using smart cards, install a certificate on each smart card distributed to a VPN client user.

Before you can install a certificate, a certification authority (CA) must be present and reachable. For a computer in a Windows Server 2008 domain, you can use auto-enrollment or the Certificates snap-in to install a certificate. Alternatively, you can install a certificate by using a Web browser to connect the VPN client to the CA Web enrollment agent.

For more information, see Appendix A: Computer Certificates for VPN Connections in the Routing and Remote Access Design Guide.