Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2)-based virtual private networks (VPNs) use certificate-based authentication methods. To support SSTP or IKEv2-based VPNs, you must install a properly configured certificate on the VPN server.
The computer certificate you configure on the RRAS server must have either the Server Authentication or All-Purpose enhanced key usage (EKU) property. This computer certificate is used by the VPN client to authenticate the RRAS server when the session is established.
Where to install certificates
On the RRAS server:
- Install the root CA certificate for the certification authority (CA) that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities.
- Install the server authentication certificate that was issued by the CA into the store Local Computer\Personal.
On the remote VPN client:
- Install the root CA certificate for the CA that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities. This is required for the client to trust the server authentication certificate presented by the server.
- If the client will need to use IKEv2 VPN connections to the server, then a client authentication certificate that was issued by the CA must be installed in the store Local Computer\Personal.