Help with SSTP cert

I have been trying to get a SSTP road warrior type setup working, but I seem to be having trouble creating / importing the CA into Windows 7.

I have followed the instructions here : http://wiki.mikrotik.com/wiki/Manual:Create_Certificates
The server has a SSTP server setup w/ certs imported. I see the incoming connection attempt in the logs.

The windows error I get is : 0x800096004 : The signature of the certificate cannot be verified.

I think the issue may be related to either the cert creation or import.

What do I use for CN (Common Name) ?
What certs do I need to import into Windows ? ca and client ?

any update ? i have exactly same problem,

i follow http://wiki.mikrotik.com/wiki/Manual:Create_Certificates and use sstp.domain.com for CN and also add ca.cert server.cert client.cert to my trust root ca in my computer account, but i get same problem as abovepost,

I just finished a SSTP server with cert which works fine with Win 7 and Vista and MikroTik.
Let me know if you still have the problem. I will share steps ASAP.
Maybe I will post it on wiki (if it is open for users).

can you tell me how will you build you ssl certificate?
is it self signed certificate?

You can use Comodo 90 day free SSL cert (2048 bit, Really strong and easy).

http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html

Before starting you need to have a CN (Common Name). What is CN? CN is a domain name (or a sub-domain) pointed to IP address of your SSTP server. you also need a level1 or level2 email on the domain. You need the email for “Domain Verification” which is a step needed to finish cert issue process.

Also you must create a CSR (Certificate Signing Request) in Mikrotik (/certificate create-certificate-request ). The only important question (MikroTik asks you some questions) is CN and passphrase.
When done Mikrotik creates two files (certificate-request.pem and private-key.pem). You will need private-key.pem later when you want to import your signed certificate from Comodo.

Here is a example:
IP of your SSTP server: 1.2.3.4
CN: anything.info (level1) or subdomain.anything.info (level2)
email: admin/webmaster/root@anything.com (level1) or admin/webmaster/root@subdomain.anything.info (level2)

If you use a level2 domain you can use a level1 email for domain name verification but if you used a level1 domain you CANNOT use a level2 email for domain name verification.

When you ping anything.info or subdomain.anything.info it must resolve to 1.2.3.4.
remember that CN must be a domain name NOT an IP address. Also when you want to make a SSTP connection in windows you must use the same CN which you used to make your CSR and the signed certificate is issued for that. If you use the IP address instead of domain name, windows client will NOT connect and gives an error (Error 0x800B010F: The certificate’s CN name does not match the passed value.)

If you have any questions, please feel free to ask.
You can find me on yahoo messenger by my user name here!

PS: I tried to use a self signed cert created created by OpenSSL under Linux and Windows but windows did not accept the cert, although I imported generated files in windows. Best idea is to use free online certs ( http://www.startssl.com/ ( guide for StarSSL: http://www.makeuseof.com/tag/free-ssl-certificate/ ) , https://products.geotrust.com/orders/freessl.do?ref=freessl , https://www.cacert.org/ , https://www.globalsign.com/contact/testdv/form_testcert_dv_en.html , http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html )

Thanks for reply mehrzud.

I will give this a shot tonight.

I have successfully created sstp certificate (startssl.com), and I have connected to my mikrotik, but now I want to secure up a little more, and want to use “verify-client-certificate”. Now I have a problem. I don’t know how to create certificate for client. What has to be written in CN for client? Any idea?

Hi, I’ve few servers with sifferent subdomains: 1.example.net 2.example.net 3.example.net
Have I to but certificate for every domain or one will be enough?