Community discussions

 
maxpower
just joined
Topic Author
Posts: 21
Joined: Fri Dec 05, 2014 4:45 pm

SSTP + Win7 + Self signed cert.

Fri May 17, 2019 4:38 pm

Strange situation, issued self-signed CLIENT cert on mikrotik and imported into Win7 does not work, because Win7 cannot verify its authenticity, but if I import the CA cert from the mikrotik which was used to sign the CLIENT certificate then Win7 can connect, but at the same time if I remove CLIENT certificate from Win7 and leave only CA cert - this is enough for Win7 to connect to SSTP server on mikrotik.

In SSTP server settings I have the CLIENT certificate selected, not CA.

Should I set a CA cert on mikrotik as "non trusted"?
 
Sob
Forum Guru
Forum Guru
Posts: 4041
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSTP + Win7 + Self signed cert.

Fri May 17, 2019 5:11 pm

It is also possible to make a secure SSTP tunnel by adding additional authorization with a client certificate.
...
This scenario is also not possible with Windows clients, because there is no way to set up client certificate on Windows.
In other words, Windows clients can't use client certificates.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5823
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: SSTP + Win7 + Self signed cert.

Fri May 17, 2019 5:12 pm

Windows client does not use client certificate. Only server side verification is happening.
 
maxpower
just joined
Topic Author
Posts: 21
Joined: Fri Dec 05, 2014 4:45 pm

Re: SSTP + Win7 + Self signed cert.

Fri May 17, 2019 5:21 pm

And how WIN7 client verifies mikrotik Server? Only by the CA cert? If I issue CA cert on mikrotik, gonna set it as CERT on SSTP server settings and import to WIN7 - this chain gonna work fine? After CA cert is expired no connection would be possible?
 
Sob
Forum Guru
Forum Guru
Posts: 4041
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSTP + Win7 + Self signed cert.

Fri May 17, 2019 5:27 pm

Standard config is one CA certificate and it's used to sign server certificate. Server uses server certificate (as could be expected) and client needs CA certificate to verify server. If you get server certificate from official trusted CA, you don't need to do anything on client. If you use your own CA, you need to add CA certificate on client. A self-signed certificate for server, which you would also need to add to client, should probably work too.
 
maxpower
just joined
Topic Author
Posts: 21
Joined: Fri Dec 05, 2014 4:45 pm

Re: SSTP + Win7 + Self signed cert.

Fri May 17, 2019 5:39 pm

So I need to import CA (that was used to sign the cert that is stated in SSTP server settings) to WIN7 and that would be enough? As soon as CA cert is expired - no connection is possible?
 
mkx
Forum Guru
Forum Guru
Posts: 2103
Joined: Thu Mar 03, 2016 10:23 pm

Re: SSTP + Win7 + Self signed cert.

Fri May 17, 2019 10:23 pm

As soon as CA cert is expired - no connection is possible?
That's the whole idea about certificate validity.
BR,
Metod

Who is online

Users browsing this forum: No registered users and 82 guests