SSTP Connect

SSTP / SoftEther VPN Client for iOS

日本語版はこちら

Generate iOS-compatible SoftEther server certificates

We recommend using certificates signed by public CAs which ensures maximum level of security. You can get them from free services such as Let's Encrypt.

Only use self-generated certificates if public CA certificates do not work for you. In that case, please follow this guide to regenerate certificates as certificates generated automatically by SoftEther VPN Server do not meet iOS 13 requirements.

TLS Server Trust Evaluation is an advanced topic for server administrators. You must be responsible for any changes you made and their consequences.

PROCEED AT YOUR OWN RISK!

Overview

You will be generating two certificates according to this guide. The first one is called root certificate which is then used to generate the second one (called server or leaf certificate), used directly by the VPN server.

Prerequisites

Using SE-VPN Server Manager (GUI)

  1. Connect to the VPN server in administration mode

  2. Open Encryption and Network

  3. Under Server Certificate Settings, click New.

  4. Choose Root Certificate and fill in certificate information

    • Common Name: Any name EXCEPT your server hostname
    • Expires in: 3650 days (default) or other value you want
    • Strengthness: 2048 bits

    root-ca

  5. Click OK. The new root certificate is shown under Server Certificate.

    root-ca-overview

  6. Choose Export to export as X509 certificate and private key.

    Save the key to a safe place and never disclose to others.

  7. Now generate the server (leaf) certificate. Click New.

  8. Choose Certificate Signed by Other Certificate

  9. Click Load Certificate and Private Key and load the certificate and key you just exported

  10. Fill in server certificate information

    • Common Name: Your server hostname (such as SoftEther DDNS hostname)
    • Expires in: 730 days (or any value less than 825 days)
    • Strengthness: 2048 bits

    server-cert

  11. Click OK to close Create New Certificate.

  12. The new certificate is now shown under Server Certificate. It does not need to be exported.

    server-cert-overview

  13. Click OK to close Encryption and Network Settings. VPN manager will prompt that you need to install the root certificate manually if you need OpenVPN connectivity.

  14. (Optional) Copy the root certificate you exported (not the private key) to chain_certs sub-folder on the server and regenerate OpenVPN configuration. You don't need to do this if OpenVPN connectivity is not needed.

  15. Upload the root certificate (not the private key) to your website or email it to yourself. Follow Apple's guide to install and trust the root certificate on your iOS device.

    To install: https://support.apple.com/en-us/HT209435

    To trust: https://support.apple.com/en-us/HT204477

  16. Repeat the above process to generate a new server certificate when the current one expires (in 730 days for example). Root certificate can be reused as long as it's not expired.

Using vpncmd (command line)

  1. Log into server admin mode

  2. Run makecert2048, fill in root certificate information.

    • Name of Certificate (CN): Any name EXCEPT your server hostname
    • Expiration: 3650 days (default) or other value you want

    Specify filenames to export the root certificate and private key.

    Save the key to a safe place and never disclose to others.

    Sample:

    VPN Server>makecert2048
    MakeCert2048 command - Create New X.509 Certificate and Private Key (2048 bit)
    Name of Certificate to Create (CN): debian
    
    Organization of Certificate to Create (O):
    
    Organization Unit of Certificate to Create (OU):
    
    Country of Certificate to Create (C):
    
    State of Certificate to Create (ST):
    
    Locale of Certificate to Create (L):
    
    Serial Number of Certificate to Create (Hexadecimal):
    
    Expiration Date of Certificate to Create (Days): 3650
    
    File Name to Save Certificate to Create: /root/debian.cer
    
    File Name to Save Private Key to Create: /root/debian.key
    
    The command completed successfully.
    
  3. Run makecert2048 /SIGNCERT:<Path to root certificate> /SIGNKEY:<Path to private key>, fill in server certificate information.

    • Name of Certificate (CN): Your server hostname (such as SoftEther DDNS hostname)
    • Expiration: 730 days (or any value less than 825 days)

    Specify filenames to export the server certificate and private key.

    Save the key to a safe place and never disclose to others.

    Sample:

    VPN Server>makecert2048 /signcert:/root/debian.cer /signkey:/root/debian.key
    MakeCert2048 command - Create New X.509 Certificate and Private Key (2048 bit)
    Name of Certificate to Create (CN): vpn123456789.softether.net
    
    Organization of Certificate to Create (O):
    
    Organization Unit of Certificate to Create (OU):
    
    Country of Certificate to Create (C):
    
    State of Certificate to Create (ST):
    
    Locale of Certificate to Create (L):
    
    Serial Number of Certificate to Create (Hexadecimal):
    
    Expiration Date of Certificate to Create (Days): 730
    
    File Name to Save Certificate to Create: /root/server.cer
    
    File Name to Save Private Key to Create: /root/server.key
    
    The command completed successfully.
    
  4. Run servercertset, provide path to the server certificate and private key. Do not provide path to the root certificate.

    Sample:

    VPN Server>servercertset
    ServerCertSet command - Set SSL Certificate and Private Key of VPN Server
    Read X.509 certificate from file name: /root/server.cer
    
    Read private key from file name: /root/server.key
    
    The command completed successfully.
    
  5. (Optional) Copy the root certificate you exported (not the private key) to chain_certs sub-folder on the server and regenerate OpenVPN configuration. You don't need to do this if OpenVPN connectivity is not needed.

  6. Upload the root certificate (not the private key) to your website or email it to yourself. Follow Apple's guide to install and trust the root certificate on your iOS device.

    To install: https://support.apple.com/en-us/HT209435

    To trust: https://support.apple.com/en-us/HT204477

  7. Repeat the above process to generate a new server certificate when the current one expires (in 730 days for example). Root certificate can be reused as long as it's not expired.