I have installed a wildcard SSL certificate on a Win2022 Server for use for both web (IIS) and VPN authentication. I let Windows choose the appropriate certificate store, but for good measure I installed the certificate also on LocalMachine. Now, Web serving works just fine. However, the certificate does not appear on the Remote Access Server choice and consequently cannot be selected. Worse, the RAS now complains that the default self-signed certificate is not identical to the IIS SSL and refuses to start. My question is: How can I make the new certificate selectable in the RAS configuration page?
Asked
Active
Viewed 127 times
0
-
What are the certificate usages? – Greg Askew Nov 16 '21 at 15:17
-
Proves your identity to a remote computer/ / Ensures the identity of a remote computer / 2.23.140.1.2.1 It's stored under "trusted root certification authority" (Current User) – aag Nov 16 '21 at 15:29
-
1It needs to be in the Personal store and have the Server Authentication Enhanced Key Usage (EKU) (OID 1.3.6.1.5.5.7.3.1) . https://directaccess.richardhicks.com/2018/07/16/always-on-vpn-ssl-certificate-requirements-for-sstp/ – Greg Askew Nov 16 '21 at 15:41
-
thank you very much for your advice; it's highly appreciated. I have copied the certificate to the Personal Store, and I have added the EKU OID to it and to each certificate in its chain-of-trust. I have then restarted the RAS service. However, I still see only the self-signed cert installed automatically and a "default" which cannot be chosen for some reason (it produces an error). What I am missing? :) – aag Nov 16 '21 at 19:25
-
the info box says: [1]Certificate Policy: Policy Identifier=Server Authentication [1,1]Policy Qualifier Info: Policy Qualifier Id=Root Program Flags Qualifier: c0 – aag Nov 16 '21 at 19:29
-
however, I notice that the entry "Key Usage" (value: "Digital Signature, Key Encipherment (a0)") has an attention sign (yellow triangle with an exclamation mark) on it. Does this mean that something is wrong? – aag Nov 16 '21 at 19:48
-
That's an odd assortment of EKU's considering you only need one that isn't present. – Greg Askew Nov 16 '21 at 21:24
-
Dear Greg, thank you - but I don't quite understand. I entered the OID that you kindly specified. Why isn't it present? I thought that the text "Server Authentication" would indicate that it was correctly entered... – aag Nov 17 '21 at 06:23