Always On VPN SSL Certificate Requirements for SSTP

Always On VPN Certificate Requirements for SSTPThe Windows Server 2016 Routing and Remote Access Service (RRAS) is commonly deployed as a VPN server for Windows 10 Always On VPN deployments. Using RRAS, Always On VPN administrators can take advantage of Microsoft’s proprietary Secure Socket Tunneling Protocol (SSTP) VPN protocol. SSTP is a Transport Layer Security (TLS) based VPN protocol that uses HTTPS over the standard TCP port 443 to encapsulate and encrypt communication between the Always On VPN client and the RRAS VPN server. SSTP is a firewall-friendly protocol that ensures ubiquitous remote network connectivity. Although IKEv2 is the protocol of choice when the highest level of security is required for VPN connections, SSTP can still provide very good security when implementation best practices are followed.

SSTP Certificate

Since SSTP uses HTTPS for transport, a common SSL certificate must be installed in the Local Computer/Personal/Certificates store on the RRAS VPN server. The certificate must include the Server Authentication Enhanced Key Usage (EKU) at a minimum. Often SSL certificates include both the Server Authentication and Client Authentication EKUs, but the Client Authentication EKU is not strictly required. The subject name on the certificate, or at least one of the Subject Alternative Name entries, must match the public hostname used by VPN clients to connect to the VPN server. Multi-SAN (sometimes referred to as UC certificates) and wildcard certificates are supported.

Always On VPN Certificate Requirements for SSTP

Certification Authority

It is recommended that the SSL certificate used for SSTP be issued by a public Certification Authority (CA). Public CAs typically have their Certificate Revocation Lists (CRLs) hosted on robust, highly available infrastructure. This reduces the chance of failed VPN connection attempts caused by the CRL being offline or unreachable.

Using an SSL certificate issued by an internal, private CA is supported if the CRL for the internal PKI is publicly available.

Key Type

RSA is the most common key type used for SSL certificates. However, Elliptic Curve Cryptography (ECC) keys offer better security and performance, so it is recommended that the SSTP SSL certificate be created using an ECC key instead.

Always On VPN Certificate Requirements for SSTP

To use an ECC key, be sure to specify the use of a Cryptographic Next Generation (CNG) key and select the ECDSA_P256 Microsoft Software Key Storage Provider (CSP) (or greater) when creating the Certificate Signing Request (CSR) for the SSTP SSL certificate.

Always On VPN Certificate Requirements for SSTP

Most public CAs will support certificate signing using ECC and Elliptic Curve Digital Signature Algorithm (ECDSA). If yours does not, find a better CA. 😉

Forward Secrecy

Forward secrecy (sometimes referred to as perfect forward secrecy, or PFS) ensures that session keys can’t be compromised even if the server’s private key is compromised. Using forward secrecy for SSTP is crucial to ensuring the highest levels of security for VPN connections.

To enforce the use of forward secrecy, the TLS configuration on the VPN server should be prioritized to prefer cipher suites with Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.

Authenticated Encryption

Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) is a form of encryption that provides better data protection and integrity compared to older block or stream ciphers such as CBC or RC4.

To enforce the use of authenticated encryption, the TLS configuration on the VPN server should be prioritized to prefer cipher suites that support Galois/Counter Mode (GCM) block ciphers.

Important Note: In Windows Server 2016, GCM ciphers can be used with both RSA and ECC certificates. However, in Windows Server 2012 R2 GCM ciphers can only be used when an ECC certificate is used.

SSL Offload

Offloading SSL to a load balancer or application delivery controller (ADC) can be enabled to improve scalability and performance for SSTP VPN connections. I will cover SSL offload for SSTP in detail in a future post.

Summary

SSTP can provide good security for VPN connections when implementation and security best practices are followed. For optimum security, use an SSL certificate with an EC key and optimize the TLS configuration to use forward secrecy and authenticated cipher suites.

Additional Information

Always On VPN ECDSA SSL Certificate Request for SSTP

Always On VPN and Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN Certificate Requirements for IKEv2

3 Important Advantages of Always On VPN over DirectAccess

Microsoft SSTP Specification on MSDN

Leave a comment

19 Comments

  1. Max Gianesini

     /  August 8, 2018

    Hello Richard
    We have deployed SSTP with internal PKI but when the client connects it fails to validate the cert. OCSP is publicly available and I can validate the cert using certutil -URL certname.
    Any ideas why VPN will not use OCSP?

    Reply
    • Not sure. Typically if you can validate with certutil it should work. However, it is possible that perhaps client client performs its validation differently. I’d suggest taking a network trace to see specifically what’s going on with the validation process. Hopefully that will yield some clues.

      Reply
  2. Al

     /  October 16, 2018

    hi, i setup a sstp server in windows 2012 r2 with a cert from a windows ca on a domain , i issued the certificate with subject name and san matching the public address if i use peap still getting error “not have server name specified”, if i use mschap2 then it works. any ideas?

    Reply
    • PEAP will require that the certificate match the internal hostname of the server, not the public name. Typically I’ll use two different certificates, one for PEAP and one for SSL. You might be able to add the server name to the SAN list and make it work, but it’s not something I’ve tried.

      Reply
  3. Colin

     /  November 20, 2018

    To use the certificate on multiple VPN servers is it required to make the private key exportable in the request? I did not upon my initial request so I am trying to do a new request from a second VPN server using your suggestions for SSTP but every time I submit the request it fails saying invalid parameter. I added CN, DNS, ECDSA_P256, Client and Server EKU, and marked the private key as exportable. I attempted this from both the server with the existing certificate and the new VPN server that has no certificate yet. Both fail with an invalid parameter error.

    Reply
    • It is possible to use the same certificate on more than one VPN server. If you’ve already successfully made a request on one server, no harm in exporting the certificate and importing on the other server.

      Reply
      • Colin

         /  November 20, 2018

        But it seems that the private key needs to be marked as exportable in the request prior to getting the initial cert. I cannot import to the other server through IIS because there is no private key and I can’t export the private key on the original server.

        I thought to myself, OK, I will just re-request it and mark it as exportable with new CSR but I for some reason cannot make a new request. It always says invalid parameter. I have tried on 3 servers and a client. Same error.

  4. Colin

     /  November 20, 2018

    I figured it out. I was selecting the wrong CSP type. Smart Card vs software. DOH!

    Reply
  5. Colin

     /  November 20, 2018

    BTW: You must mark the private key as exportable in your CSR or you cannot import it to another server in IIS.

    I’m good to go now.

    Reply
  6. Chris

     /  January 4, 2019

    Hi Richard

    Thanks for another great article!

    If we use a public certificate with ECC keys and EECDSA_P256 Microsoft Software Key Storage Provider, is it mandatory to have Forward Secrecy and Authenticated Encryption in place or can we use the certificate now and implement Forward Secrecy and Authenticated Encryption at a later date? I do plan on doing at the same time, just so I know either way 😊

    Thanks

    Chris

    Reply
  7. Daniel

     /  February 20, 2019

    Hi,

    We have also setup an SSTP tunnel. It connects and works fine, but only when server validation is removed from the SSTP profile (which is deployed via SCCM). We have tried selecting the correct root certificate to validate with, which I assume will be the public SSL provider as we are connecting to an SSTP session? We have tried our internal CA certificate too but that does not work either; turning off server side validation is the only way we can connect.

    Any thoughts would be very much appreciated.

    Thanks

    Danny

    Reply
    • I’d have to suspect there’s still some issue with the CRL then if disabling the revocation check makes it work. FYI, this is one of the reasons we recommend using public SSL certificates. 🙂

      Reply
  1. Always On VPN Routing Configuration | Richard M. Hicks Consulting, Inc.
  2. Always On VPN ECDSA SSL Certificate Request for SSTP | Richard M. Hicks Consulting, Inc.
  3. Troubleshooting Always On VPN Error Code 0x80092013 | Richard M. Hicks Consulting, Inc.
  4. Always On VPN SSTP Load Balancing and SSL Offload | Richard M. Hicks Consulting, Inc.
  5. Always On VPN SSTP Connects then Disconnects | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: