Configure RRAS with a Computer Authentication Certificate

Applies To: Windows Server 2008 R2

Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2)-based virtual private networks (VPNs) use certificate-based authentication methods. To support SSTP or IKEv2-based VPNs, you must install a properly configured certificate on the VPN server.

The computer certificate you configure on the RRAS server must have either the Server Authentication or All-Purpose enhanced key usage (EKU) property. This computer certificate is used by the VPN client to authenticate the RRAS server when the session is established.

Where to install certificates

On the RRAS server:

  • Install the root CA certificate for the certification authority (CA) that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities.

  • Install the server authentication certificate that was issued by the CA into the store Local Computer\Personal.

On the remote VPN client:

  • Install the root CA certificate for the CA that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities. This is required for the client to trust the server authentication certificate presented by the server.

  • If the client will need to use IKEv2 VPN connections to the server, then a client authentication certificate that was issued by the CA must be installed in the store Local Computer\Personal.

Important

For SSTP VPN connections, by default, the client must be able to confirm that the certificate has not been revoked by checking the server identified in the certificate as hosting the certificate revocation list (CRL). If the server hosting the CRL cannot be contacted, then the validation fails, and the VPN connection is dropped. To prevent this, you must either publish the CRL on a server that is accessible on the Internet or configure the client to not require CRL checking. To disable CRL checking, create a registry setting at the following location:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\parameters
The setting must be a DWORD value named NoCertRevocationCheck. Set the value to 1.

Additional references