Page 1 of 1

Can SEVPN serve intermediate CA certificates?

Posted: Thu Aug 21, 2014 9:12 pm
by arbitrix
Hi,

Thanks for releasing this great product.

I have a RapidSSL wildcard certificate (*.mydomain.com) which I use on my SEVPN servers (running SSTP protocol).

RapidSSL uses two intermediate CA certificates (https://knowledge.rapidssl.com/support/ ... &id=AR1549), so the chain looks like:

Equifax Secure CA
- GeoTrust CA intermediate
- RapidSSL intermediate
- *.mydomain.com certificate

To import my certificate into SEVPN I use a PFX file containing my private key, the GeoTrust intermediate, the RapidSSL intermediate and my wildcard certificate. (I also tried .cer/.key with the same results.)

When I access the SSTP endpoint (port 443) directly with my web browser (Chrome/FF/IE) I get a secured connection (certificates accepted and certification path verified).

If I connect to the SSTP endpoint with the Windows 7 built-in SSTP client I get a secured connection (certificates accepted and certification path verified).

When I connect to the same endpoint with the SEVPN client software I receive a warning: "unable to find the certificate of the certificate authority who issued this certificate on the list of trusted certificates."

When I connect to the SSTP endpoint using
http://www.sslshopper.com/ssl-checker.h ... domain.com
I receive the following message:

"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GeoTrust's Certificate Installation Instructions for your server platform (use these instructions for RapidSSL). Pay attention to the parts about Intermediate certificates."

It seems that SEVPN is not sending the intermediate certificates to the client, resulting in failure to verify the certification chain.

When I look in the SEVPN configuration file I see a relatively small ServerCert blob. I assume this is because the intermediate certificates are not being imported into the configuration file.

Is there any way in which I can teach SEVPN to serve intermediate certificates to the client so that the chain can be verified without having to manually install intermediate certificates on the client?

Thanks in advance for any insights.

Re: Can SEVPN serve intermediate CA certificates?

Posted: Fri Aug 22, 2014 5:05 am
by dnobori
You must install intermediate CA certificates on the "chain_certs" directory where the SoftEther VPN Server is installed on.

Re: Can SEVPN serve intermediate CA certificates?

Posted: Fri Aug 22, 2014 7:14 pm
by arbitrix
Dear Daiyu Nobori,

Thanks for the quick response.

dnobori wrote:
> You must install intermediate CA certificates on the
> "chain_certs" directory where the SoftEther VPN Server is
> installed on.

Based on the above, I searched the forums for the term "chain_certs" and discovered that SEVPN 4.07 and later automatically populate the chain_certs directory. So I upgraded both my server AND my client to 4.10.

After the upgrade to 4.10, I re-imported my RapidSSL certificate on the server and observed that the chain_certs directory was automatically populated. This is a great feature.

I then checked the SSTP endpoint (port 443) using
http://www.sslshopper.com/ssl-checker.h ... domain.com
and
https://www.ssllabs.com/ssltest/analyze ... domain.com

This confirms all the intermediate certificates are installed correctly: "The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed)."

The certification chain is: GeoTrust Global CA -> RapidSSL CA -> *.mydomain.com

After verifying this, the SEVPN client (4.10) unfortunately still tells me "unable to find the certificate of the certificate authority who issued this certificate on the list of trusted certificates."

I suspect that this is because the SEVPN client does NOT automatically use the Trusted Root Certification Authorities installed in the Windows Certificates Store. This in turn would mean that I should manually add the root certificate using the "Manage Trusted CA Certificate List" option in the SEVPN client.

Update 1: Unfortunately, even with the "GeoTrust Global CA" root certificate installed using the "Manage Trusted CA Certificate List" dialog I still get the same error ("unable to find the certificate of the certificate authority who issued this certificate on the list of trusted certificates.")

Update 2: If I manually install the "RapidSSL CA" intermediate certificate on the client using "Manage Trusted CA Certificate List" everything works without error.

It seems that the SEVPN client does not make the link between the "RapidSSL CA" certificate from the SEVPN server chain_certs directory and the "GeoTrust Global CA" certificate installed on the trusted CA certificate list.

Update 3: I have attached two screenshots, one showing the server-sent chain certificates and one showing the certificates installed on the client. The thumbprints match.

Note that I can remove the "GeoTrust Global CA" (0x8212) certificate from the client store and everything still works. If I remove the RapidSSL CA (0x6F47) the connection fails.

What am I missing?

Thanks a lot for your help.

Re: Can SEVPN serve intermediate CA certificates?

Posted: Wed Sep 03, 2014 8:02 am
by thisjun
SoftEther VPN Client doesn't support using intermediate CA certificates.