9

I am trying to create a SSTP VPN on my Windows Server 2008 R2, I installed the Network Policies and Access Service, and the AD Certificate Autority service,

I create my root certificate and generated a Server authentication certificate (named with the FQDN of the server), validated it and installed it on the server, I also have installed the CA authority certificate on the client that I need to connect, but when I try to connect, I get this error

Could not build a certificate chain for CA certificate 0 for xxx.netyxia.net-DC-CA. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487).

(xxx.netyxia.net is the (altered) hostname), the certificate is deployed on both the server and the client.. I've searched for hours... and nothing :(

Any idea please ?

Thank you

Kedare
  • 1,766
  • 4
  • 20
  • 36

2 Answers2

11

It sounds like you've installed the certificate in the wrong store, you should try manually putting it in Trusted Root Certificate Authorities on the client machine.

Take these steps on the client machine: MMC > Add 'Certificates' snap-in for local computer > Trusted Root Certificate Authorities > Import the certificate here.

Will
  • 408
  • 3
  • 8
  • I've checked this, but its alreary installed, but does the certificate needs to use the used DNS name, or the "real" machine name ? How does the client know what certificate to use ? Because I don't have configured anything to tell the VPN server/client to use this specific certificate – Kedare Sep 26 '10 at 14:53
  • Oky i've found that I had to define the certificate on the VPN properties, thank you – Kedare Sep 26 '10 at 15:57
  • 2
    also make sure the ssl listener in RRAS is configured to point to the ssl certificate you are wanting to user to secure the VPN –  Nov 26 '10 at 13:41
  • 2
    Make sure to install this certificate on the *local computer* storage, not for just user session. – eRIZ Aug 28 '15 at 19:39
0

If you are using a self signed certificate on a Windows Server, you may need the certificate bound to the VPN host address itself and one from the server itself that has issued this certificate. I have just set up a SSTP VPN on Windows 2012R2 Essentials and at the client end, I had to do two things:

  1. Install the VPN certificate (e.g. my.vpn.hostname.com) AND the Windows server CA ceritifcate that signed it. Both of these needed to be installed in the Local Computer account (NOT the user section) of the client in the Trusted Root Certificate Authorities section. This gives you the chain - the Windows Server CA that signed this certificate is trusted and the VPN certifcate is trusted. You can normally get your Server CA cert from the Windows Active Directory cert server e.g. my.domain/certsvr, or just export it.

  2. As its self signed, you will likely get an error (I did...) re the client being unable to check for revocation. Go to RegEdit and add a new DWORD called NoCertRevocationCheck key in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters and set this to 1 (i.e. true, don't check to see if cert has been revoked)

Ideally you would use a cert issued by a proper CA to avoid any issues over revocation servers being available. Re the certificates themselves, this article goes into detail about the security aspects:

https://directaccess.richardhicks.com/2018/07/16/always-on-vpn-ssl-certificate-requirements-for-sstp/

ChumKui
  • 101
  • 1