Confusing and inconsistent documentation and steps.

[buzzywinter]

Hi, this page has many issues and is confusing.

1. It references this command: certreq -attrib “CertificateTemplate:[Customer]VPNGateway” -submit VPNgateway.req VPNgateway.cer. however nowhere do we build a template called [Customer]VPNGateway.

2. VPN Server is used as a name for a server along with RRAS server. I believe they are used interchangeably but nowhere together in the same subsection.
3. Other documentation in the deployment refer to the RRAS server being in the DMZ as a stand alone server, however the documentation here gives instructions for certificates in relation to it being a domain member. How do I add a server to an AD group that is not a member of the domain?
4. Documentation is not clear and straight forward. It's almost as if it was written by several different people and not edited when it was glued together.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 0e886cf2-b2cc-1942-2e93-b83ba3f5c81a
• Version Independent ID: 14185f76-c920-66a5-9d3b-51ddc4845ee8
• Content: Configure the Server Infrastructure
• Content Source: WindowsServerDocs/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-server-infrastructure.md
• Product: windows-server-threshold
• GitHub Login: @shortpatti
• Microsoft Alias: pashort

[buzzywinter]

BTW, regardless of the above I was eventually able to get my certificates how and where I need them.

A note on the non-domain joined RRAS server, you also need to first put the CA cert in the local computer Trusted Root Certification Authorities and Intermediate Certification Authorities stores before you can successfully run the certreq -accept command.

[shane-hca]

BTW, regardless of the above I was eventually able to get my certificates how and where I need them.

A note on the non-domain joined RRAS server, you also need to first put the CA cert in the local computer Trusted Root Certification Authorities and Intermediate Certification Authorities stores before you can successfully run the certreq -accept command.

hi buzzywinter,

I am part-way through configuring Always on VPN and am unsure how to resolve this problem. I receive an error when I try to run the command "certreq -attrib “CertificateTemplate:[Customer]VPNGateway” -submit VPNgateway.req VPNgateway.cer"

Any ideas what steps are missing? I also have a RRAS server that's not joined to the domain that I'm trying to configure.

[buzzywinter]

BTW, regardless of the above I was eventually able to get my certificates how and where I need them.
A note on the non-domain joined RRAS server, you also need to first put the CA cert in the local computer Trusted Root Certification Authorities and Intermediate Certification Authorities stores before you can successfully run the certreq -accept command.

hi buzzywinter,

I am part-way through configuring Always on VPN and am unsure how to resolve this problem. I receive an error when I try to run the command "certreq -attrib “CertificateTemplate:[Customer]VPNGateway” -submit VPNgateway.req VPNgateway.cer"

Any ideas what steps are missing? I also have a RRAS server that's not joined to the domain that I'm trying to configure.

Hi shane-hca,

My first question is did is your Certificate template actually named "[Customer]VPNGateway"? If not use the name of the template you created down lower in this page.

Because I ran into so many issues getting the certreq... commnad to work properly (always erred) I ended up completely forgoing this documentation here and setting up my certificate template such that I could use the certificates mmc (as the system on a domain joined server) to request the certificate, filling in the appropriate information in the wizard to obtain the certificate (make sure to mark the private key as exportable). Then I would export it from the domain joined system and import into the RRAS server marking the private key as non-exportable. Then I would remove my certificate template so it could not be used. (I know this reply is assuming a certain amount of knowledge of Microsoft Certificate Authority.)

[ghost]

@MihaiSP, can you take a look at this issue?

[tim-shane]

BTW, regardless of the above I was eventually able to get my certificates how and where I need them.
A note on the non-domain joined RRAS server, you also need to first put the CA cert in the local computer Trusted Root Certification Authorities and Intermediate Certification Authorities stores before you can successfully run the certreq -accept command.

hi buzzywinter,

I am part-way through configuring Always on VPN and am unsure how to resolve this problem. I receive an error when I try to run the command "certreq -attrib “CertificateTemplate:[Customer]VPNGateway” -submit VPNgateway.req VPNgateway.cer"

Any ideas what steps are missing? I also have a RRAS server that's not joined to the domain that I'm trying to configure.

I'm sure you are by now past this issue, but I spun in circles around this for a couple of hours. If you are hitting the same wall, future Googlers, PRIOR to processing the certificate request with your CA, you must jump ahead in the instructions to "Create the VPN Server Authentication template". The name you give to THIS template you will replace "[Customer]VPNGateway" with. The instructions could be much more clear here. Once you get a certificate generated, you might as well also run this command:
certutil -ca.cert ca_server.crt
This will generate the certificate authority cert to allow your non-domain joined server to trust the CA, otherwise step 10 (certreq -accept VPNGateway.crt) will fail. Install the 'ca_server.crt' into the "Trusted Root Certificate Authorities" folder.

[mark-royds]

Fully 3 years after this issue was first raised, the documentation is still a complete dogs dinner.
It would almost make more sense to follow the provided instructions in reverse order.

Whoever "owns" this page should be ashamed of themself.

[IngridAtMicrosoft]

#label:"doc-bug"

[IngridAtMicrosoft]

#please-close