Server Setup:
Mikrotik A
ONLY cert1.crt installed in Mikrotik A
/interface sstp-server server
set authentication=mschap2 certificate=cert1.crt enabled=yes force-aes=yes port=443 tls-version=only-1.2
Mikrotik B
ONLY cert2.crt installed in Mikrotik B
/interface sstp-server server
set authentication=mschap2 certificate=cert2.crt enabled=yes force-aes=yes port=443 tls-version=only-1.2
Client Situation 1:
Mikrotik C
ONLY cert1.crt installed in Mikrotik C
#This connection works:
add certificate=cert1.crt connect-to=MikrotikA disabled=no name=sstp-out1 password=pw profile=default-encryption tls-version=only-1.2 user=user verify-server-address-from-certificate=yes verify-server-certificate=yes
#This connection error: handshake failed: unable to get local issuer certificate (6)
add certificate=cert1.crt connect-to=MikrotikB disabled=no name=sstp-out2 password=pw profile=default-encryption tls-version=only-1.2 user=user verify-server-address-from-certificate=yes verify-server-certificate=yes
Above result make sense since the certificate mismatch.
Client Situation 2:
Mikrotik C
BOTH cert1.crt and cert2.crt installed in Mikrotik C
#This connection works:
add certificate=cert1.crt connect-to=MikrotikA disabled=no name=sstp-out1 password=pw profile=default-encryption tls-version=only-1.2 user=user verify-server-address-from-certificate=yes verify-server-certificate=yes
#This connection also works:
add certificate=cert1.crt connect-to=MikrotikB disabled=no name=sstp-out2 password=pw profile=default-encryption tls-version=only-1.2 user=user verify-server-address-from-certificate=yes verify-server-certificate=yes
As I specify the cert1.crt in sstp-out2, the certificate should be mismatch. However, mikrotik seems try to match any other certificate in store automatically. If my understanding is correct, I’m worrying this is a security risk.