I’m trying to setup SSTP because I find wifi spots that block L2TP ports.
I get an 0x8007274C error. From what I’ve seen here and on other pages it looks like my self signed cert is being rejected.
I found one post that says the CN in the cert must match the IP address of the router. Since mine does not I’m assuming that is the problem, my router is DHCP from my ISP.
I’m also assuming the only way around this is a commercial cert but wanted to get verification.
I haven’t tried, but could be possible to first setup some kind of dyndns-service and then use that url as CN.
I’m anyway using self-signed cert with sstp. I have only dynamic wan-ip as well, but it changes so rarely that I registered domain name and made static dns-entry to point my current public ip. If it changes some day, then I must manually edit my dns-record and wait until ttl’s are expired.
After that I self-signed cert with OpenSSL and used my registered domain name as CN and it works. I’m connected to it at the moment.
My own CA is of course added to my win7-laptop’s cert store. There was a bit strange notice that CA-cert must be added to Local computer’s cert store, not to cert store attached to my user profile.
http://wiki.mikrotik.com/wiki/Manual:Create_Certificates
Did you use this method to create your certs?
" When filling CN remember that it must not match on CA and server certificate otherwise later naming collision will occur. "
This is what is confusing me.
thanks
I didn’t read that page when I made cert, I had existing CA and I just made one new cert using that, but yes, no big differences comparing that wiki-page. Anyway, it makes sense that is it not wise to use same CN for CA and for other certs (is it even possible?) So use your imagination and find your own ca-name (my imagination wasn’t very good back then, so my CA’s CN is “servername-ca”), then sign cert for your RB and when you have asked CN for that, then remember this one:
“Note: Common Name (CN) in server certificate should match the the IP address of your server otherwise you will get “domain mismatch” message and for example Windows SSTP client will not be able to connect to the server. If clients are only Windows machines then CN can be a DNS name, too.”
Although, when I now read that again.. in fact that is bit misleading, better wording would be that “CN in server certificate should match to the domain name which is used to establish connections (configured to Win7-clients “Host name or IP address of destination” -section and therefore of course resolved to ip-address by connecting client).” Maybe it’s possible to use ip-address as CN as well, but I think it forces you to sign new cert every time when your ip changes. 
As I said earlier, my RB’s certs CN is “my.domain.com” and I have made A record to my domain name -providers (joker.com) public DNS-service to pointing my own public (but dynamic) IP-address. When my IP changes (happened only when I changed my device), I have to go and edit my record manually, not big deal in my case.
And btw, if you have only few clients and little handwork is not problem, you don’t even need that domain name. You can also use your client-computers hosts-file ( http://en.wikipedia.org/wiki/Hosts_(file) ). Main thing is just to take care that the address you connect with client match to your server certs CN.
Next line in hosts-file:
38.25.63.10 x.acme.com
..where first one is your public IP-address and second one is your “domain name”..
..and cert with CN “x.acme.com”..
probably works as well.
Again you need to tell correct IP to your clients when/if it changes.