Your server authentication certificate should be coming from your online issuing CA, not from the root CA. The purpose of a 2 tier is to segment the lower layer of your CA infrastructure and reduce your attack surface (among numerous other reasons). As far as validation...best practice is that an offline root CA use an empty CRL and AIA, which means in a nutshell, no validity verification should be included anyways outside of the key pair. What are you using for the VPN connection...I would expect the RAS and IAS servers template to accomplish your goals.... Brandon Wilson - Premier Field Engineer (Platforms)

SSTP works just fine with any PKI that delivers a trusted server certificate with a working revocation checking. It is not related to the number of tiers as long as it is trusted, valid and the revocation checking information works when the client is connecting to server. A valid certificate for SSTP must meet the following requirements: The certificate is configured with the Server Authentication purpose in the Enhanced Key Usage (EKU) extensions. The certificate is valid The CRL/revocation information is available publically at the time of connection The certificate is trusted The subject name of the certificate is the IP address of the external interface on the remote access server, or a DNS name that resolves to that IP address. /Hasain

Your server authentication certificate should be coming from your online issuing CA, not from the root CA. The purpose of a 2 tier is to segment the lower layer of your CA infrastructure and reduce your attack surface (among numerous other reasons). As far as validation...best practice is that an offline root CA use an empty CRL and AIA, which means in a nutshell, no validity verification should be included anyways outside of the key pair. What are you using for the VPN connection...I would expect the RAS and IAS servers template to accomplish your goals.... Brandon Wilson - Premier Field Engineer (Platforms)

Hi, I am currently working on deploying a sstp vpn using a tier 2 PKI, the problem is that when I try to connect I have the error: 0x80072746. I looked for this error on internet and I found on this forum that this issue comes from the certificate on my vpn server. I'm going to develop a bit more what i'm trying to do: I have 2 different servers (one with the offline standalone root CA and one with the online enterprise subordinate CA), I connected my vpn server to the subordinate server. I followed the instructions on this post : http://technet.microsoft.com/en-us/library/cc731352(WS.10).aspx to do the VPN but I changed it a little bit to be able to request the certificate from my root CA. I used the root CA to request a Server Authentication certificate and after that I put it offline, which means that i'm willing to use the subordinate CA as the CA for my vpn server. So I continued and at the end when I try to connect using SSTP, I have the error... PPTP is working fine. Can I use a tier 2 PKI with a sstp vpn? Because If I request certificate from the root CA and put it offline, the certificate won't work since he can't validate its authencity right? Or is it possible to build this plateform using a standalone root CA and a enterprise root CA to avoid requesting any certificate from the offline root CA ? Thx John.