In this guide I will show you how to install an X.509 SSL encryption certificate (.crt) in order to connect to a VPN using the SSTP Protocol (aka MS-SSTP). SSTP is an excellent VPN protocol that easily traverses firewalls because it uses port 443 which is generally wide open to enable HTTPS secure web browsing. It’s also very fast for the same reason and offers good stability with minimal dropouts.
Before we begin there are a few requirements:
- The X.509 security certificate file(s) avaiable from your VPN provider or network admin
- Administrator rights on your Windows PC (most accounts will have this)
- *Note to Admins: the certificate name must match the hostname or the IP address of the server in order to work properly
Watch the video above or follow the text guide below.
Install X.509 Certificate for SSTP VPN
- Locate the X.509 .crt certificate files, unzip if required
- Click on the Start icon bottom-left of your screen
- Type Run into the search box, then click the Run (Desktop app) result
- Now type MMC into the Open: text box, click Yes to allow the app to run
- The Microsoft Management Console window should now be open
- Go to File > Add/Remove Snap-in… then select Certificates and click Add >
- Select the Computer Account option, then click Next >
- Select the Local computer: (the computer this console is running on) option, then click Finish, then click OK to close the window
- On the left pane, expand folders to Certificates > Trusted Root Certification Authorities > Certificates
- Right click on Certificates, then click All tasks > Import (see below)
- In the Certificate Import Wizard, select the Local Machine option, then click Next
- Now click the Browse button and navigate to the downloaded certificate file (.crt) and double click to select, then click Next
- Make sure that the Place all certificates in the following store: option is set to Trusted Root Certification Authorities (it’s usually the default) and click Next
- Now click Finish, then OK to the success alert message, finally close X the console window, choose No to the Save settings alert box
- You can now connect to the VPN server after setting up a new connection, see Connect VPN using SSTP on Windows (all versions) guide.
Fix Error: 0x800B0109
If you are trying to connect to a VPN using SSTP and keep getting Error 0x800B0109 on Windows XP/Vista/7 or "Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider" error on Windows 8.1/10, this is because you need to install X.509 SSL encryption certificate(s) for the server(s) you’re connecting to. These should be available from your VPN service providers website in the form of
vpn.myvpn.crt Certificate files. Once you have them, continue this guide to install (video further below).
Note for Admins: If you are also getting this error whilst setting up your servers, you need to make sure that when generating your .CRT Certificate files, the Name: field must match exactly the hostname or IP address of your server. For instance, if your server hostname is
us.sfc.myvpn.com then enter this for the Name: field on your certificate. You can also put the IP address of your server too.
- SSTP Protocol at Wikipedia
- SSTP FAQ – Part 2: Client Specific – Microsoft TechNet
- Search Google for SSTP