Community discussions

MikroTik App
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Tue Mar 20, 2018 4:46 pm

IKEv2 Picking the wrong client cert installed on local PC cert store

Thu Sep 09, 2021 3:43 pm

Hi geeks,

I have IKEv2 set up to site A all works great no problems, connecting, speed is ok, stable.
I have made set up to site B and gues what it doesnt work. Cinfig is ok , certs are installed as they have to be installed.
But the I click to connect to site B, Windows 10 sends site A client certificate to authenticate to Mikrotik IKEv2 server. How do I know this? Just simply by checking logs.
"unable to get local issuer certificate(20) at depth cert:Client-ak ( where "client-ak" is cert of site A)
cant verify peers' certificate from the store" (yes it cant as it doesnt exist on site B)


Does anyone knows how to fix this problem on windows 10 so it sends out the right certificate to authenticate so I may enjoy multi-site accessibility using IKEv2
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Tue Mar 20, 2018 4:46 pm

Re: IKEv2 Picking the wrong client cert installed on local PC cert store

Thu Sep 09, 2021 4:54 pm

ok made a query and later on found an answer at this topic: viewtopic.php?f=2&t=139273&p=878614#p878614
Manage how to tell windows 10 witch cert to use.
Now, if you have more than one IKE2 RSA VPN's created, you should specify which certificate Windows should use, because Windows is stupid and can't automatically determine the right certificate for each VPN profile.
1. Open Powershell and enter certlm.msc to open Local Machine Certificate tool
2. Under Trusted Root Certification.. find your certificate and open it with double click
3. Select Details and copy Serial number
4. Go back to Powershell and create new variable with specified serial number
$ca = Get-ChildItem Cert:\LocalMachine\Root\ | ? SerialNumber -EQ <serial number>
5. Check whether variable can find you certificate, it should return something
$ca
6. Add certificate to your created VPN profile
Set-VpnConnection -Name <your VPN profile name> -MachineCertificateIssuerFilter $ca

From <viewtopic.php?t=139273>
A big thanks to Fesiitis for sharing this!!!!

Who is online

Users browsing this forum: aoravent, Bing [Bot], K0NCTANT1N, ofatieiev and 68 guests