none
SSTP Certificate Trust **Client Cert already installed**

    General discussion

  • Good day everyone,

    I am trying to configure SSTP for a VPN server already in production. Initially I created a self signed certificate in IIS and named it the same as the server so the "CN=server.domain.local" as to test it before actually using a CN external users use to connect. 

    Once the certificate was created I mapped it to my tcp ssl listening ports

    netsh http add sslcert ipport=0.0.0.0:443 certhash=XXX appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

    netsh http add sslcert ipport=[::]:443 certhash=XXX appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

    ** After restarting RRAS the ports are mapped correctly **

    >netsh http show sslcert

    SSL Certificate bindings:
    -------------------------

        IP:port                 : 0.0.0.0:443
        Certificate Hash        : YYYYYYY
        Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
        Certificate Store Name  : MY
        Verify Client Certificate Revocation    : Enabled
        Verify Revocation Using Cached Client Certificate Only    : Disabled
        Usage Check    : Enabled
        Revocation Freshness Time : 0
        URL Retrieval Timeout   : 0
        Ctl Identifier          :
        Ctl Store Name          :
        DS Mapper Usage    : Disabled
        Negotiate Client Certificate    : Disabled

        IP:port                 : [::]:443
        Certificate Hash        : YYYYYYY
        Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
        Certificate Store Name  : MY
        Verify Client Certificate Revocation    : Enabled
        Verify Revocation Using Cached Client Certificate Only    : Disabled
        Usage Check    : Enabled
        Revocation Freshness Time : 0
        URL Retrieval Timeout   : 0
        Ctl Identifier          :
        Ctl Store Name          :
        DS Mapper Usage    : Disabled
        Negotiate Client Certificate    : Disabled

    I installed the same certificate on a client machine in the "Trusted Root Certificate Authorities" and confirmed this by navigating to the server using https that matches the CN in the certificate.

    https://server.domain.local/

    This shows the certificate as being trusted. 

    I configured my VPN client to use SSTP instead of PPTP and tried to connect to the server but I get this error.

    Error Description: 0x800B0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

    LINK: http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx

    I know the certificate is installed correctly on the client computer so I am fairly lost as to what to do next. When connecting to the same server using PPTP everything works smoothly.

    I used this guide as a my walkthrough:
    http://blogs.technet.com/b/rrasblog/archive/2007/10/04/how-to-change-the-machine-certificate-of-sstp-based-rras-server.aspx

    noncentz

    • Changed type Tiger Li Tuesday, February 21, 2012 1:34 AM
    Wednesday, February 15, 2012 5:48 PM

All replies