Wouterx
asked on
Certificate problem for VPN
I am using PPTP for VPN connections. This works fine, using normal username/password authentication.
But I want to use PPTP with EAP using certificates to secure vpn connections to our network.
I have set up an internal root CA (microsoft).
I have put the root CA on client and VPN server.
I have issued a client authentication certificate and installed it on the client.
I have issued a server authentication certificate and installed it on the RRAS (VPN) server.
But when I try to create the connection, I get this error on the client:
"Error 0x80090325: The certificate chain was issued by an untrusted authority."
On the server I get in system log:
"The user XXX connected from 213.224.178.18 but failed an authentication attempt due to the following reason: There was an authentication failure because of an unknown user name or a bad password. "
Any idea's what's wrong?
But I want to use PPTP with EAP using certificates to secure vpn connections to our network.
I have set up an internal root CA (microsoft).
I have put the root CA on client and VPN server.
I have issued a client authentication certificate and installed it on the client.
I have issued a server authentication certificate and installed it on the RRAS (VPN) server.
But when I try to create the connection, I get this error on the client:
"Error 0x80090325: The certificate chain was issued by an untrusted authority."
On the server I get in system log:
"The user XXX connected from 213.224.178.18 but failed an authentication attempt due to the following reason: There was an authentication failure because of an unknown user name or a bad password. "
Any idea's what's wrong?
ASKER
Navidating gives this screen:
--------------------------
Install this CA certification path to allow your computer to trust certificates issued from this certification authority.
It is not necessary to manually install the CA certification path if you request and install a certificate from this certification authority, because the CA certification path will be installed for you automatically.
Choose file to download:
CA Certificate: Current [Dekimo CA]
DER encoded or Base 64 encoded
Download CA certificate
Download CA certification path
Download latest certificate revocation list
--------------------------
Where you can click on the first 5 words to install the CA certificate.
I have already done this on client and server. Does not make any difference.
If I download the certification path file or cert. revoc. list specified in the lower part of the screen, I cannot open or install these files. The error is:
"This is an invalid PKCS #7 file"
Is it possible that I misconfigured the CA so that the cert. path. or CRL Distribution points are invalid or unreachable, and this causes the error?
--------------------------
Install this CA certification path to allow your computer to trust certificates issued from this certification authority.
It is not necessary to manually install the CA certification path if you request and install a certificate from this certification authority, because the CA certification path will be installed for you automatically.
Choose file to download:
CA Certificate: Current [Dekimo CA]
DER encoded or Base 64 encoded
Download CA certificate
Download CA certification path
Download latest certificate revocation list
--------------------------
Where you can click on the first 5 words to install the CA certificate.
I have already done this on client and server. Does not make any difference.
If I download the certification path file or cert. revoc. list specified in the lower part of the screen, I cannot open or install these files. The error is:
"This is an invalid PKCS #7 file"
Is it possible that I misconfigured the CA so that the cert. path. or CRL Distribution points are invalid or unreachable, and this causes the error?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
;)
To resolve this problem, install the CA Certification Path on both client and server. To do this, select the Retrieve the CA certificate or certificate revocation list from http://CAServerName/certsrv.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q326474