I am trying to create a SSTP VPN on my Windows Server 2008 R2, I installed the Network Policies and Access Service, and the AD Certificate Autority service,
I create my root certificate and generated a Server authentication certificate (named with the FQDN of the server), validated it and installed it on the server, I also have installed the CA authority certificate on the client that I need to connect, but when I try to connect, I get this error
Could not build a certificate chain for CA certificate 0 for xxx.netyxia.net-DC-CA. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487).
(xxx.netyxia.net is the (altered) hostname), the certificate is deployed on both the server and the client.. I've searched for hours... and nothing :(
Any idea please ?
Thank you
It sounds like you've installed the certificate in the wrong store, you should try manually putting it in
Trusted Root Certificate Authorities
on the client machine.Take these steps on the client machine: MMC > Add 'Certificates' snap-in for local computer > Trusted Root Certificate Authorities > Import the certificate here.
If you are using a self signed certificate on a Windows Server, you may need the certificate bound to the VPN host address itself and one from the server itself that has issued this certificate. I have just set up a SSTP VPN on Windows 2012R2 Essentials and at the client end, I had to do two things:
Install the VPN certificate (e.g. my.vpn.hostname.com) AND the Windows server CA ceritifcate that signed it. Both of these needed to be installed in the Local Computer account (NOT the user section) of the client in the Trusted Root Certificate Authorities section. This gives you the chain - the Windows Server CA that signed this certificate is trusted and the VPN certifcate is trusted. You can normally get your Server CA cert from the Windows Active Directory cert server e.g. my.domain/certsvr, or just export it.
As its self signed, you will likely get an error (I did...) re the client being unable to check for revocation. Go to RegEdit and add a new DWORD called NoCertRevocationCheck key in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters and set this to 1 (i.e. true, don't check to see if cert has been revoked)
Ideally you would use a cert issued by a proper CA to avoid any issues over revocation servers being available. Re the certificates themselves, this article goes into detail about the security aspects:
https://directaccess.richardhicks.com/2018/07/16/always-on-vpn-ssl-certificate-requirements-for-sstp/