An important decision regarding these certificates is whether to deploy them using your own internal certificate authority server, or whether to purchase a certificate from an external provider such as Verisign and Thawte. We discussed some of the differences earlier in this chapter, and also in Chapter 2, Planning a Unified Remote Access Deployment but if you're not sure yet, here are the considerations again, briefly:
All the certificates can be issued by an internal CA, and that saves money, but may complicate things, as you need to make sure the CRL is published and accessible by the clients for all the certificates
If publishing the CRL is difficult or impossible for your organization, you can use a third party provider for the IP-HTTPS connection, and that makes things a bit simpler
The IPsec certificates (both for the URA server and clients) need to be issued by your internal CA, and there's no getting around that
With most deployments that require...