As per the "Important" note at the end of this documentation Configure VPN Device tunnels in Windows 10, I am using the Set-VPNAuthProtocol command to specify a single root CA that VPN client certificates should chain back to. However, even though I select a specific certificate to use for this purpose, the resulting configuration is set to use a DIFFERENT (older, but still valid) certificate for the same root CA.
PS C:\Users\myadminuser> $cert1 = (get-childitem -path cert:LocalMachine\root | ? Thumbprint -eq "09876543219AE3718A18EAD87E46D11234567890" | select -first 1)
PS C:\Users\myadminuser> $cert1 | fl
Subject : CN=EnterpriseCA, DC=domain, DC=com
Issuer : CN=EnterpriseCA, DC=domain, DC=com
Thumbprint : 09876543219AE3718A18EAD87E46D11234567890
FriendlyName :
NotBefore : 3/1/2018 1:00:00 AM
NotAfter : 3/1/2028 1:00:00 AM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
PS C:\Users\myadminuser> set-vpnauthprotocol -RootCertificateNameToAccept $cert1 -passthru
PS C:\Users\myadminuser> get-vpnauthprotocol
UserAuthProtocolAccepted : {EAP, Certificate}
TunnelAuthProtocolsAdvertised : Certificates
RootCertificateNameToAccept : [Subject]
CN=EnterpriseCA, DC=domain, DC=com
[Issuer]
CN=EnterpriseCA, DC=domain, DC=com
[Serial Number]
ABCDEFFABCDEF0987654321ABCDEFABCD
[Not Before]
6/6/2014 6:00:00 AM
[Not After]
6/6/2019 6:00:00AM
[Thumbprint]
ABCDEF0123456789ABCDEF9876543210ABCDEF99
CertificateAdvertised :
CertificateEKUsToAccept :It seems as though this command may just look at the subject name of the supplied certificate, and use the first certificate it finds in the localmachine\root store which matches the subject name. That would almost make sense, since the parameter is named "RootCertificateNameToAccept", except that the parameter doesn't accept just a string for the certificate name. Since the parameter requires an X509Certificate2 object, I would expect it to use the actual certificate specified, not just randomly select one with the same subject name.
I also tried supplying multiple certificates for this parameter, in hopes that it would then accept client certs signed with any of the supplied root certs, but that just returns an error. Looks like I'm not the first to try and fail at that, although the one reply in that thread seems like they possibly didn't understand the issue, and the links in the thread are dead.
Is it the expected behavior for Set-VPNAuthProtocol to choose the first certificate it finds in localmachine\root which matches the Subject of the certificate supplied for the rootcertificatenametoaccept parameter, rather than actually using the supplied certificate?
How can I configure this option to accept client certificates signed by a specific (the current/most recently issued) certificate for our CA?