Hi, this page has many issues and is confusing.
1) It references this command: certreq -attrib “CertificateTemplate:[Customer]VPNGateway” -submit VPNgateway.req VPNgateway.cer. however nowhere do we build a template called [Customer]VPNGateway.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
BTW, regardless of the above I was eventually able to get my certificates how and where I need them.
A note on the non-domain joined RRAS server, you also need to first put the CA cert in the local computer Trusted Root Certification Authorities and Intermediate Certification Authorities stores before you can successfully run the certreq -accept command.
BTW, regardless of the above I was eventually able to get my certificates how and where I need them.
A note on the non-domain joined RRAS server, you also need to first put the CA cert in the local computer Trusted Root Certification Authorities and Intermediate Certification Authorities stores before you can successfully run the certreq -accept command.
hi buzzywinter,
I am part-way through configuring Always on VPN and am unsure how to resolve this problem. I receive an error when I try to run the command "certreq -attrib “CertificateTemplate:[Customer]VPNGateway” -submit VPNgateway.req VPNgateway.cer"
Any ideas what steps are missing? I also have a RRAS server that's not joined to the domain that I'm trying to configure.
BTW, regardless of the above I was eventually able to get my certificates how and where I need them.
A note on the non-domain joined RRAS server, you also need to first put the CA cert in the local computer Trusted Root Certification Authorities and Intermediate Certification Authorities stores before you can successfully run the certreq -accept command.hi buzzywinter,
I am part-way through configuring Always on VPN and am unsure how to resolve this problem. I receive an error when I try to run the command "certreq -attrib “CertificateTemplate:[Customer]VPNGateway” -submit VPNgateway.req VPNgateway.cer"
Any ideas what steps are missing? I also have a RRAS server that's not joined to the domain that I'm trying to configure.
Hi shane-hca,
My first question is did is your Certificate template actually named "[Customer]VPNGateway"? If not use the name of the template you created down lower in this page.
Because I ran into so many issues getting the certreq... commnad to work properly (always erred) I ended up completely forgoing this documentation here and setting up my certificate template such that I could use the certificates mmc (as the system on a domain joined server) to request the certificate, filling in the appropriate information in the wizard to obtain the certificate (make sure to mark the private key as exportable). Then I would export it from the domain joined system and import into the RRAS server marking the private key as non-exportable. Then I would remove my certificate template so it could not be used. (I know this reply is assuming a certain amount of knowledge of Microsoft Certificate Authority.)
@MihaiSP, can you take a look at this issue?
BTW, regardless of the above I was eventually able to get my certificates how and where I need them.
A note on the non-domain joined RRAS server, you also need to first put the CA cert in the local computer Trusted Root Certification Authorities and Intermediate Certification Authorities stores before you can successfully run the certreq -accept command.hi buzzywinter,
I am part-way through configuring Always on VPN and am unsure how to resolve this problem. I receive an error when I try to run the command "certreq -attrib “CertificateTemplate:[Customer]VPNGateway” -submit VPNgateway.req VPNgateway.cer"
Any ideas what steps are missing? I also have a RRAS server that's not joined to the domain that I'm trying to configure.
I'm sure you are by now past this issue, but I spun in circles around this for a couple of hours. If you are hitting the same wall, future Googlers, PRIOR to processing the certificate request with your CA, you must jump ahead in the instructions to "Create the VPN Server Authentication template". The name you give to THIS template you will replace "[Customer]VPNGateway" with. The instructions could be much more clear here. Once you get a certificate generated, you might as well also run this command:
certutil -ca.cert ca_server.crt
This will generate the certificate authority cert to allow your non-domain joined server to trust the CA, otherwise step 10 (certreq -accept VPNGateway.crt) will fail. Install the 'ca_server.crt' into the "Trusted Root Certificate Authorities" folder.
Most helpful comment
I'm sure you are by now past this issue, but I spun in circles around this for a couple of hours. If you are hitting the same wall, future Googlers, PRIOR to processing the certificate request with your CA, you must jump ahead in the instructions to "Create the VPN Server Authentication template". The name you give to THIS template you will replace "[Customer]VPNGateway" with. The instructions could be much more clear here. Once you get a certificate generated, you might as well also run this command:
certutil -ca.cert ca_server.crtThis will generate the certificate authority cert to allow your non-domain joined server to trust the CA, otherwise step 10 (
certreq -accept VPNGateway.crt) will fail. Install the 'ca_server.crt' into the "Trusted Root Certificate Authorities" folder.