Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2)-based virtual private networks (VPNs) use certificate-based authentication methods. To support SSTP or IKEv2-based VPNs, you must install a properly configured certificate on the VPN server.
The computer certificate you configure on the RRAS server must have either the Server Authentication or All-Purpose enhanced key usage (EKU) property. This computer certificate is used by the VPN client to authenticate the RRAS server when the session is established.
Where to install certificates
On the RRAS server:
- Install the root CA certificate for the
certification authority (CA) that issued the server authentication
certificate into the store Local Computer\Trusted Root
- Install the server authentication certificate
that was issued by the CA into the store Local
On the remote VPN client:
- Install the root CA certificate for the CA
that issued the server authentication certificate into the store
Local Computer\Trusted Root Certification Authorities. This is
required for the client to trust the server authentication
certificate presented by the server.
- If the client will need to use IKEv2 VPN
connections to the server, then a client authentication certificate
that was issued by the CA must be installed in the store Local