I successfully deployed a few MT routers that build up an SSTP tunnel to a central CHR instance (and I am pretty happy with the results). I did all that without using Certificates because I had only MT devices. Now I want to know if it possible to also have Windows Clients use this CHR instance in parallel. Those would to my knowledge need a Certficate which raises the question if such a setup is possible or if that would mean to reconfigure all existing tunnel to the use of a Certificate.
Hopefully you are not using the SSTP without certificates for any important data as it is extremely insecure. From the Wiki “Between two Mikrotik routers it is also possible to set up an insecure tunnel by not using certificates at all. In this case data going through SSTP tunnel is using anonymous DH and Man-in-the-Middle attacks are easily accomplished”
You should be able to add a server certificate without breaking the existing tunnels. In addition to allowing Windows clients to connect you can also import the CA certificate into the client Mikrotiks and set verify-server-certificate=yes
The Mikrotik client certificates are optional, the VPN can still be secure without them, and Windows doesn’t support them:
Client checks it is talking to an authentic server by matching the CA which signed the server certificate, and optionally verifying the server hostname matches the certificate.
Server authenticates the client by username and password.
Create CA, Server Cert.
Install CA and Server Cert on CHR.
Select Server Cert on CHR (SSTP Server) - this should not break existing tunnels as the clients do not currently check it BUT use safe mode and/or have another connection just in case.
Install CA on MT devices.
Enable verify-server-certificate and optionally verify-server-address-from-certificate (more important if not using self-signed certificates) on MT devices. Also check the authentication methods are set to mschap2 only.
Well, I’ve got the CHR set up already (following this YT video for CA and Cert creation, (while not understanding the polish language)), and the first MT device re-established the tunnel happily (as you predicted)!
For now I skipped the part of creating and installing a Certificate on a Windows machine (like in the video) because I took from your elaborate answer that this is not needed.