When your SSTP VPN client throws the 0x800b0109 error ("certificate chain terminated in untrusted root"), it means your client machine doesn't properly trust the certificate authority that issued your server's certificate. This typically occurs in self-signed CA environments.

On your Windows Server 2008 R2 running AD CS:

# Verify CA certificate installation
certutil -viewstore -silent CA

On the client machine:

# Check trusted root store
certmgr.msc

1. Certificate Template Configuration:

# Example PowerShell to verify template
Get-CATemplate | Where-Object {$_.Name -like "*Server*"} | 
  Format-List Name, SchemaVersion, ValidityPeriod

2. Client-Side Trust Establishment:

# Command to manually install CA cert on client
certutil -addstore -f Root C:\path\to\your_ca.cer

For SSTP to work properly, your NPS policy must reference the correct certificate:

netsh nps show config

Use these diagnostic commands to pinpoint the trust chain break:

# Check full certificate chain
certutil -verify -urlfetch your_server_cert.cer

# Verbose SSL handshake logging
netsh trace start scenario=NetConnection capture=yes tracefile=sstp.etl

If you've recently renewed certificates, ensure CRL distribution points are accessible:

certutil -URL "ldap:///CN=your-CA,CN=CDP,CN=Public Key Services,CN=Services"

---

When configuring SSTP VPN on Windows Server 2008 R2, the certificate chain validation error 0x800b0109 typically indicates a breakdown in trust between the client and server certificates. The root cause often stems from improper certificate deployment or missing intermediate certificates in the chain.

First, verify the certificate chain on both server and client:

certlm.msc (Local Machine Certificate Store)
certmgr.msc (Current User Certificate Store)

Check these critical locations:

1. Server: Personal store should contain the server authentication certificate
2. Server: Trusted Root Certification Authorities should contain your CA root
3. Client: Trusted Root Certification Authorities must have the same CA root

Ensure proper certificate binding in Routing and Remote Access:

netsh ras set sstpcert name="your_FQDN_server_certificate"

Verify the binding with:

netsh ras show sstpcert

If using a multi-tier PKI hierarchy, you must export the complete chain including intermediate certificates. Use this PowerShell snippet to verify:

$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "your_FQDN"}
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($cert)
$chain.ChainStatus | Format-List -Property Status,StatusInformation

For SSTP VPN, your certificate template must include:

• Server Authentication EKU (1.3.6.1.5.5.7.3.1)
• CRL Distribution Point (CDP) configured
• Proper validity period (recommended minimum 1 year)

Try these troubleshooting steps:

1. Export the CA root certificate with private key using MMC
2. Import to client's Trusted Root store using this command:

   certutil -addstore -f Root CA_Certificate.cer
   

3. Check certificate revocation settings in Group Policy:

   gpedit.msc → Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Certificate Path Validation Settings
   

Enable SCHANNEL logging for detailed troubleshooting:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL /v EventLogging /t REG_DWORD /d 0x7 /f

Check Event Viewer (Applications and Services Logs → Microsoft → Windows → Schannel) for detailed SSL negotiation errors.