I am tasked with an immediate need to configure a windows server that can serve as a CA such that I can use it to generate certificates that can be deployed to VPN-enabled computers by Group Policy to serve as a second means of authentication on top of a username and password.
My Cisco AnyConnect VPN is served up from a Cisco ASA 5515 firewall with latest and greatest firmware (9.2(2)8). I installed an SSL certificate from GoDaddy, so that the ASA is identified as a trusted VPN connection. But, I'm under the impression that VPN clients need a certificate on the native machine in order to provide a second form of authentication and that the SSL certificate on the ASA identifying it as a trusted VPN connection does not actually serve as a valid 'factor' in multi-factor authentication terms.
In the end, my VPN connection needs a second factor of authentication on top of the first factor (RADIUS). I'm, again, under the impression I need to go down the road of an internal server as a CA. However, I have done zero work with certificates and certificate servers in this capacity and it's all new to me. Given that I have the GoDaddy SSL cert on the ASA, I wonder if there is a way to leverage that.
Reading up on it, I'm finding myself questioning whether I need a standalone CA vs an enterprise CA, if I can install it on a domain controller or if it should be installed on a member server, how the certificate generation and deployment process to VPN clients (Group Policy) all comes together.
Hopefully having described my situation, what I'm working with, what I need to accomplish in some form or another, and what I'm specifically trying to vet out will help someone help provide me some direction.