Hi all, We're running a 2008 server, using the L2TP/IPSEC VPN. All is well and it works. However we've noticed an issue which I'd like to know if anyone else has encountered or resolved. Basically, the VPN works ok if: 1) There is a machine certificate for the server endpoint located in the Server's machine certificate 'personal' store. This certificate needs to have 'server authentication', with the FQDN of the server (e.g. server.acme.com). 2) There is a ROOT CA certificate present on the server in the machine certificate 'trusted CA' store. The certificate we have is named "server". 3) On the client, there is a machine certificate for the client in the machine certificaet personal store. This certidicate needs to have 'client authentication' be signed by the server CA certificate. 4) The ROOT CA certificate needs to be present on the client machine certificaet 'trusted CA' store. Now, the issue is when the server gets rebooted. When this happens, a copy of the ROOT CA certificate 'magically' appears on the server in the machine certificate 'personal' store. It's named after the hostname of the server (e.g. "server"). Whilst this certificate is present, our VPN does not work. Deleting it from the personal store causes the VPN to work again. I've read on the net in a couple of places that the names of the certificates are important, so I am guessing that having two certificates which do different things is causing some confusion and hence no VPN. I can keep deleting these certificates but it's not really viable. So 1) Have I got the certificate setup totally wrong? 2) Is there a way I can rename the root CA certificate? 3) Are there any good candidate services which might be creating the magic copy of the certificate that is causing me grief? Thanks in advance Phil

What server is hosting the CA (Root CA)? I am not clear on what is the infrastructure issuing the actual certificate named server.acme.com?Brian

Thanks for the reply. The CA is on 'server.acme.com'. The VPN endpoint is 'server.acme.com'. (i.e. there is one windows server 2008, and it is hosting everything). Phil

Hi, If the VPN server is also a root CA server, the root CA certificate (self-signed) should be imported to the personal store of the computer store. Regarding the issue, I suggest that you capture the network traffic for further research. Meanwhile, please check if there is any error logged on the servers when the issue occurs. Events and Errors -- RRAS Server http://technet.microsoft.com/en-us/library/cc773765(WS.10).aspx Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.