I have been trying to set up an SSTP VPN to my SBS 2011 server and have been battling certificate issues the whole way. I've been able to generate a new certificate for my external vpn address, import it into my client machine, and added my server as a Trusted Certification Authority. Now I get the error:
Error 0x80092013: The revocation function was unable to check revocation because the revocation server was offline.
When I checked the CRL distribution points on the certificate I saw that the only urls were to my internal address, so I added another one that points to my external address (leaving the original internal urls intact). I generated a new certificate, deleted the existing one from my client and imported the new one, and restarted RRAS and verified that SSTP was using my new certificate but I am still getting the same error.
When I view the details the certificate that I imported I see that the new external CDP appears in the list (something to the effect of http://mydomain.com/CertEnroll/MYSERVER-CA.crl) . When I put that into a web browser I get a message saying the CRL import was successful, which lets me know that the URL is accessible from the outside and is online.
I feel like this is the last stop between me and a secured VPN, what am I missing here?
The issue was that I was unable to access the Delta CRL file through IIS 7. This was due to '+' sign in the file name MYSERVER-CA+.crl. By default IIS 7 sets the property allowDoubleEscaping to False, and this must be enabled so that IIS can serve up this file.
In IIS7, I went into the Default Website, navigated to the CertEnroll virtual directory and enabled the property to the configuration editor. Below is a link to set this through a command line:
http://blogs.technet.com/b/lrobins/archive/2008/12/29/publishing-delta-crls-on-iis-7.aspx
Once I did this my issue was finally resolved!