In the near future some users will receive MACs, the plan is to deploy IKEv2 to support the MAC clients. The clients will use the same external host name to connect to the RRAS/VPN server.
The current certificate only has the EKU 'server authentication', the certificate for IKEv2 also requires the EKU 'IP security IKE intermediate'. This means i have to deploy a new certificate so i'll end up with 2 certificates with the same common name (remote.contoso.com)
I assume this won't be a problem because the EKU is checked to determine which certificate to use?
technet:
For a certificate to be used to authenticate an IKEv2 connection, then the certificate must specify an EKU field that includes Server Authentication. If there is more than one server authentication certificate, then additionally include the IP security IKE intermediate EKU. Only one certificate should have both EKU options, otherwise IPsec cannot determine which certificate to use, and might not pick the certificate you intended.
- Edited by bruun 20 hours 7 minutes ago