Ha!… VPN Reconnect

Reading today RRAS’ blog, I saw this interesting and useful blog entry:
http://blogs.technet.com/rrasblog/archive/2009/06/10/what-type-of-certificate-to-install-on-the-vpn-server.aspx

What caught my attention was the paragraph regarding IKEv2 machine certificate authentication, an excerpt from it:
Ensure the trusted root certificate store on the VPN Server contains **only** the trust root certificate that matches the trust chain with which the client will send the machine certificate. …”
Also there is a red warning somewhere in that paragraph.

If you read my blog(you do that don’t cha –;) ), then you might know about that issue, as I’ve already pointed it out, along with other issues, here(search for Machine authentication with certificates):
http://www.carbonwind.net/blog/post/2009/05/30/VPN-Reconnect-in-Windows-7-RC-redux.aspx

 

Still no mention on RRAS’ blog entry about CN vs SAN entries from VPN server’s certificate(SSTP, VPN Reconnect, L2TP/IPsec). Or how exactly you get a certificate with the EKU field containing Server Authentication and IP Security IKE intermediate, say from the Windows Enterprise CA. There is some info about those here though –:) :
http://www.carbonwind.net/blog/post/2009/05/30/VPN-Reconnect-in-Windows-7-RC-redux.aspx

Comments are closed