Hi!
I would like to know which extensions must a certificate have to work with SSTP VPN. Currently I have created a self-signed cert on Mikrotik and deployed it to my Local Machine certificate store on Windows and it works but I would like to buy a certificate from a trusted public certification authority - I tried with Let’s Encrypt but it does not work - also it does not work with Comodo free certificate. Are this certificates missing some extensions? If so which extensions (Extended Key Usage) I need to look for when ordering an certificate?
Thank you,
Luka
“It works on my machine” (Windows 10 client). Have you installed the intermediate certificate?
[admin@MikroTik] /certificate> print detail
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
0 L name="vpn.company.com.crt_1"
issuer=O=Digital Signature Trust Co.,CN=DST Root CA X3
country="US" organization="Let's Encrypt"
common-name="Let's Encrypt Authority X3" key-size=2048
days-valid=1826 trusted=yes
key-usage=digital-signature,key-cert-sign,crl-sign
serial-number="0A0141420000015385736A0B85ECA708"
fingerprint="25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe
41d9de218d"
invalid-before=mar/17/2016 17:40:46
invalid-after=mar/17/2021 17:40:46 expires-after=122w1d17h24m44s
1 K T name="vpn.company.com.crt_0"
issuer=C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
common-name="vpn.company.com" key-size=4096
subject-alt-name=DNS:vpn.company.com days-valid=90 trusted=yes
key-usage=digital-signature,key-encipherment,tls-server,tls-client
serial-number=""
fingerprint=""
invalid-before=sep/10/2018 20:30:49
invalid-after=dec/09/2018 20:30:49 expires-after=3w5d20h14m47s
Edit: removed Trusted flag from intermediate certificate
Oh! I did not do that… I will try again. Thank you, thank you!
Note that you do not need to ‘Trust’ the intermediate certificate. I have removed that flag from my post.