hi , i myself found a solution for obtaining the certificate form stanadlone-root-CA as here : in stanalone certificate web page , i checked mark private key as exportable . then in vpn server , from certifiates snap-in (Current user ) / personal , i exported it with private key and then imported it in certifiates snap-in (Local computer ) / personal . now when i select manage private keys , at security tab , i see that an SID of "S-1-5-5-0-109321 " has automatically been added and has read permission. but the problem about obtaining from enterprise CA still exist. because when login to web page of enterprise CA , and request a web server certificate , we cannot select " make the private key exportabl " ( is grayout ). so at the CA server side , in server manager templates console , i created a new template and selected " make private key exportable " , but the problem is when we browse the web page of enterprise CA , it doesn't show us this new certificate . any solution please ???????????????

hi friends it's a long time i am struggling with an frustrating problem. i'll be exponentially gratefull to someone who help me. my problem is about SSTP vpn. in my test environment in hyper-v , i have deployed a LAN ( domain ) with a DC , a Enterprise Root CA and a joined VPN Server ( with 2 NIC ) and also have an external SSTP VPN Client. ( All are win 2008 R2 SP1 ) in my CA srv , in Certificate Templates , i have Duplicated the Web server template, name it SSTP and only in security tab , i addedd the vpn server's computer Account and assigned read and enroll permissions. ( no any more change ) . then in vpn server from MMC certificate snap-in , i request that SSTP certificate and Enroll taht for my vpn server and then in RRAs console , in security tab , i select this certificate and then everything works nice. the external SSTP VPN client can stablish vpn connection without any problem now i want to remove this certificate from vpn server and this time i want again obtain a certificate for SSTP vpn but this time via webbase mode ( not from certificates snap-in ) so when i delete this certificate from vpn server and then i obtain a certificate via webbase method ( obtaining from https://CA-SRV/Certsrv ) , ( web server certificate ) , then i set that certificate on RRAS console , the external SSTP VPN client can't stablish the vpn connection. the client gives this error in event viewer : An existing connection was forcibly cloed by remote host in the VPN server's Event log , these errors are logged : 1) The SSTP service could not configure the following certificate for use with IPV4. this might prevent SSTP connections from being stablished..... A specified logon session does not exist. it may already have been terminated 2 ) A fatal error occured when attemping to access the SSL server credential private key. The error code returend from the cryptographic module is 0x8009030d. The internal error state is 10001. any help please ? i have completely compared these two certificate files . the cert file which was obtained from mmc ( form duplicated certificate ) has a public key eith 2048 Bit length , but the cert file which i obtained web base has a public key with 1024 Bit length , so i again connected to https://CA-SRV/Certsrv and in request form , i selected 2048 Bit public key and obtained this new certificate , but this new certificate doesn't work :-( the same problem Exist when i deployed a new non-joined standalone-Root-CA and via webbase method i obtained a server Authentication certificate for my vpn server. any help please thanks in advance

Hi, but the problem is when we browse the web page of enterprise CA , it doesn't show us this new certificate . you have to publish your new template on the issuing CA. Open the CA-MMC, right click the certifcates templates conrtainer and choos new-> Certificate Template to issue. Please also make sure, that the permissions on the template are configured right. On webenrollment, choose you advanced request?

a) you should not use the Web Enrollment method, because the web pages cannot enroll for computer certificates - they create the certificate into your user's certificate store instead. RRAS needs the certificate to be installed in computer's certificate store together with its associated private key. So make sure you can start MMC, Certificates (Local Computer), Personal, and that you see there the SSL "server authentication" certificate and the properties of the certificate also state that "you have private key corresponding to this certificate". b) the certificate must meet some basic requirements - Server Authentication OID (1.3.6.1.5.5.7.3.1) in Enhanced Key Usage, Key Usage must be both Digital Signature + Key Encipherment, the Subject or Subject Alternative Name must contain the DNS name of the RRAS server that the client will be configured to connect to (such as vpn.company.com). c) the client always checks the server certificate's revocation (CRL or OCSP). To check this, please, export the server certificate (just the certificate, do not export the private key) and copy the certificate to your client computer. The certificate file will be something like sstp-cert.cer. Move the computer to the location where you are going to connect the VPN from. From command line on the client, start CERTUTIL -URL sstp-cert.cer and confirm, the utility can download and verify at least some of the CRL or OCSP paths. ondrej.

a) you should not use the Web Enrollment method, because the web pages cannot enroll for computer certificates - they create the certificate into your user's certificate store instead. RRAS needs the certificate to be installed in computer's certificate store together with its associated private key. So make sure you can start MMC, Certificates (Local Computer), Personal, and that you see there the SSL "server authentication" certificate and the properties of the certificate also state that "you have private key corresponding to this certificate". b) the certificate must meet some basic requirements - Server Authentication OID (1.3.6.1.5.5.7.3.1) in Enhanced Key Usage, Key Usage must be both Digital Signature + Key Encipherment, the Subject or Subject Alternative Name must contain the DNS name of the RRAS server that the client will be configured to connect to (such as vpn.company.com). c) the client always checks the server certificate's revocation (CRL or OCSP). To check this, please, export the server certificate (just the certificate, do not export the private key) and copy the certificate to your client computer. The certificate file will be something like sstp-cert.cer. Move the computer to the location where you are going to connect the VPN from. From command line on the client, start CERTUTIL -URL sstp-cert.cer and confirm, the utility can download and verify at least some of the CRL or OCSP paths. ondrej. hi ondrej. thank you very much for the time you spend fot me and wrote me this comprehensive answer. you answer was useful for me. but just one thing: suppose different companies want to obtain SSTP certificates for their vpn servers from a public commercial CA server. so that CA server must be Standalone in order to be able to service to the vpn servers outside of his network. and as we know when our CA server is standalone, so we can only obtain SSTP Certificate for our vpn servers webbase ( trought web enrollment page ) and not via MMC or Group policy. right ?

Hi, but the problem is when we browse the web page of enterprise CA , it doesn't show us this new certificate . you have to publish your new template on the issuing CA. Open the CA-MMC, right click the certifcates templates conrtainer and choos new-> Certificate Template to issue. Please also make sure, that the permissions on the template are configured right. On webenrollment, choose you advanced request? hi Hivner. thank you for answer. yes i have published new certificate but it doesn't appear in the web enrollment page. i found the cause of the problem. if we choose win 2008 when duplicating the template that will e version 3 template and v3 templates doesn't appear in the web enrollment page. but if we select win 2003 when duplicating the template , that will be version 2 certificate and will be appear in the web enrollment page. regards