On the RRAS server:

• Install the root CA certificate for the certification authority (CA) that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities.
  
  
• Install the server authentication certificate that was issued by the CA into the store Local Computer\Personal.
  
  

On the remote VPN client:

• Install the root CA certificate for the CA that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities. This is required for the client to trust the server authentication certificate presented by the server.
  
  
• If the client will need to use IKEv2 VPN connections to the server, then a client authentication certificate that was issued by the CA must be installed in the store Local Computer\Personal.
  
  

Important

For SSTP VPN connections, by default, the client must be able to confirm that the certificate has not been revoked by checking the server identified in the certificate as hosting the certificate revocation list (CRL). If the server hosting the CRL cannot be contacted, then the validation fails, and the VPN connection is dropped. To prevent this, you must either publish the CRL on a server that is accessible on the Internet or configure the client to not require CRL checking. To disable CRL checking, create a registry setting at the following location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\parameters The setting must be a DWORD value named NoCertRevocationCheck. Set the value to 1.

• Active Directory Certificate Services (http://go.microsoft.com/fwlink/?linkid=136444)
  
  
• Configuring RRAS