DirectAccess and Always On VPN with Trusted Platform Module (TPM) Certificates

DirectAccess and Always On VPN with Trusted Platform Module (TPM) CertificatesTo enhance security when provisioning certificates for DirectAccess (computer) or Windows 10 Always On VPN (user) it is recommended that private keys be stored on a Trusted Platform Module (TPM) on the client device. A TPM is a dedicated security processor included in nearly all modern computers. It provides essential hardware protection to ensure the highest levels of integrity for digital certificates and is used to generate, store, and restrict the use of cryptographic keys. It also includes advanced security and protection features such as key isolation, non-exportability, and anti-hammering to prevent brute-force attacks.

To ensure that private keys are created and stored on a TPM, the certificate template must be configured to use the Microsoft Platform Crypto Provider. Follow the steps below to configure a certificate template required to use a TPM.

  1. Open the Certificate Templates management console (certtmpl.msc) and duplicate an existing certificate template. For example, if creating a certificate for DirectAccess, duplicate the Workstation Authentication certificate template. For Always On VPN, duplicate the User certificate template.
  2. On the Compatibility tab, ensure the Certification Authority and Certificate recipient compatibility settings are set to a minimum of Windows Server 2008 and Windows Vista/Server 2008, respectively.DirectAccess and Always On VPN with Trusted Platform Module (TPM) Certificates
  3. Select the Cryptography tab.
  4. Choose Key Storage Provider from the Provider Category drop down list.
  5. Choose the option Requests must use one of the following providers and select Microsoft Platform Crypto Provider.DirectAccess and Always On VPN with Trusted Platform Module (TPM) Certificates

Note: If Microsoft Platform Crypto Provider does not appear in the list above, got to the Request Handling tab and uncheck the option Allow private key to be exported.

Complete the remaining certificate configuration tasks (template display name, subject name, security settings, etc.) and publish the certificate template. Client machines configured to use this template will now have a certificate with private key fully protected by the TPM.

Additional Resources

Trusted Platform Module (TPM) Fundamentals

DirectAccess and Always On VPN Certificate Auto Enrollment

Leave a comment

25 Comments

  1. Jamie Holmes

     /  March 12, 2018

    For extra assurance, you can also enable Key Attestation using either Endorsement Certificate or Endorsement Key mode.
    This is to verify that the certificate is definitely being issued to a TPM, and not a crypto provider that’s simply been renamed!

    Reply
    • Thanks for the tip, Jamie! I’ll be authoring a post on that topic hopefully soon. πŸ™‚

      Reply
      • Eric Yew

         /  June 13, 2018

        Any update on when this post will be available? Thanks!

      • It’s still on my list, just haven’t gotten to it yet. Here are some details from Microsoft – https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation.

        Enjoy!

      • Eric Yew

         /  June 17, 2018

        Yes, have tried it but unfortunately it’s not as easy as the document states. I configured as per documentation utilising “Trust based on user credential” and the VPN will never connect. The moment I disable TPM attestation and reissue the cert, it works. Any help or directions would be greatly appreciated. Thanks.

      • Sorry to hear that. This is not a common requirement in my experience, so it’s not a high priority at the moment. However, I’ll try do some validation testing when time permits and let you know what I find.

  2. Hello Richard

    does Always On VPn device tunnel work with TPM module for authenfication device?

    Reply
  3. Matt

     /  December 10, 2018

    Does anyone have Key Attestation working with AOVPN yet?

    Reply
  4. Volker

     /  August 29, 2019

    How can I enforce that only TPM certificates are accepted by the vpn Server?

    Reply
    • You can really configure the VPN server to only accept certificates with private keys store on a TPM. What you can do is ensure that clients can only use a TPM with this certificate template (as outlined in this post). You can take additional steps to increase assurance that key material is generated and store on a TPM by using key attestation as well.

      Reply
  5. Can this also be done with a Machine or computer certificate?

    Reply
  6. Hello Richard
    Is Microsoft Platform Crypto Provider. supports ECDSA type algorithms? because I don’t see the Microsoft Platform Crypto Provider when I select ECDSA.
    Does this mean that the ECDA private key cannot be protected via the TPM chip?

    Thank you

    Patrick

    Reply
    • It does not. If you want to use TPM (recommended) then you must use RSA client authentication certificates. You can still use ECDSA for IPsec though.

      Reply
      • RE: It does not. If you want to use TPM (recommended) then you must use RSA client authentication certificates. You can still use ECDSA for IPsec though.

        I have tried and tried to get this working – can you point me in the right direction for this. I have put an ECC cert on the RRAS server and an RSA cert on the NPS server, or just an RSA Cert on the client or both RSA and ECC on the client. or almost every combo of the above. I cant see a away to have ECC cert for encryption and RSA for authentication. Any help what so ever would be fantastic. Martin

      • I do this all the time and it works perfectly. πŸ™‚ The only EC certificate that’s required is the certificate on the VPN server. You’ll use RSA certificates on the NPS server and for client authentication (user certificate). If you can’t get it working, reach out to me directly and I’ll provide you with more information.

      • Martin

         /  July 31, 2021

        Ok. I will give this a go, does it work for device tunnel as well?

      • Absolutely. πŸ™‚

  7. Greg

     /  December 17, 2020

    Are there any requirements one the device ? EG TPM 2.0 or secure boot?

    Reply
  1. Always On VPN Certificate Requirements for IKEv2 | Richard M. Hicks Consulting, Inc.

Leave a Reply

%d bloggers like this: