Always On VPN SSL Certificate Requirements for SSTP

Always On VPN Certificate Requirements for SSTPThe Windows Server 2016 Routing and Remote Access Service (RRAS) is commonly deployed as a VPN server for Windows 10 Always On VPN deployments. Using RRAS, Always On VPN administrators can take advantage of Microsoft’s proprietary Secure Socket Tunneling Protocol (SSTP) VPN protocol. SSTP is a Transport Layer Security (TLS) based VPN protocol that uses HTTPS over the standard TCP port 443 to encapsulate and encrypt communication between the Always On VPN client and the RRAS VPN server. SSTP is a firewall-friendly protocol that ensures ubiquitous remote network connectivity. Although IKEv2 is the protocol of choice when the highest level of security is required for VPN connections, SSTP can still provide very good security when implementation best practices are followed.

SSTP Certificate

Since SSTP uses HTTPS for transport, a common SSL certificate must be installed in the Local Computer/Personal/Certificates store on the RRAS VPN server. The certificate must include the Server Authentication Enhanced Key Usage (EKU) at a minimum. Often SSL certificates include both the Server Authentication and Client Authentication EKUs, but the Client Authentication EKU is not strictly required. The subject name on the certificate, or at least one of the Subject Alternative Name entries, must match the public hostname used by VPN clients to connect to the VPN server. Multi-SAN (sometimes referred to as UC certificates) and wildcard certificates are supported.

Always On VPN Certificate Requirements for SSTP

Certification Authority

It is recommended that the SSL certificate used for SSTP be issued by a public Certification Authority (CA). Public CAs typically have their Certificate Revocation Lists (CRLs) hosted on robust, highly available infrastructure. This reduces the chance of failed VPN connection attempts caused by the CRL being offline or unreachable.

Using an SSL certificate issued by an internal, private CA is supported if the CRL for the internal PKI is publicly available.

Key Type

RSA is the most common key type used for SSL certificates. However, Elliptic Curve Cryptography (ECC) keys offer better security and performance, so it is recommended that the SSTP SSL certificate be created using an ECC key instead.

Always On VPN Certificate Requirements for SSTP

To use an ECC key, be sure to specify the use of a Cryptographic Next Generation (CNG) key and select the ECDSA_P256 Microsoft Software Key Storage Provider (CSP) (or greater) when creating the Certificate Signing Request (CSR) for the SSTP SSL certificate.

Always On VPN Certificate Requirements for SSTP

Most public CAs will support certificate signing using ECC and Elliptic Curve Digital Signature Algorithm (ECDSA). If yours does not, find a better CA. 😉

Forward Secrecy

Forward secrecy (sometimes referred to as perfect forward secrecy, or PFS) ensures that session keys can’t be compromised even if the server’s private key is compromised. Using forward secrecy for SSTP is crucial to ensuring the highest levels of security for VPN connections.

To enforce the use of forward secrecy, the TLS configuration on the VPN server should be prioritized to prefer cipher suites with Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.

Authenticated Encryption

Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) is a form of encryption that provides better data protection and integrity compared to older block or stream ciphers such as CBC or RC4.

To enforce the use of authenticated encryption, the TLS configuration on the VPN server should be prioritized to prefer cipher suites that support Galois/Counter Mode (GCM) block ciphers.

Important Note: In Windows Server 2016, GCM ciphers can be used with both RSA and ECC certificates. However, in Windows Server 2012 R2 GCM ciphers can only be used when an ECC certificate is used.

SSL Offload

Offloading SSL to a load balancer or application delivery controller (ADC) can be enabled to improve scalability and performance for SSTP VPN connections. I will cover SSL offload for SSTP in detail in a future post.

Summary

SSTP can provide good security for VPN connections when implementation and security best practices are followed. For optimum security, use an SSL certificate with an EC key and optimize the TLS configuration to use forward secrecy and authenticated cipher suites.

Additional Information

Always On VPN ECDSA SSL Certificate Request for SSTP

Always On VPN and Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN Certificate Requirements for IKEv2

3 Important Advantages of Always On VPN over DirectAccess

Microsoft SSTP Specification on MSDN

Leave a comment

36 Comments

  1. Max Gianesini

     /  August 8, 2018

    Hello Richard
    We have deployed SSTP with internal PKI but when the client connects it fails to validate the cert. OCSP is publicly available and I can validate the cert using certutil -URL certname.
    Any ideas why VPN will not use OCSP?

    Reply
    • Not sure. Typically if you can validate with certutil it should work. However, it is possible that perhaps client client performs its validation differently. I’d suggest taking a network trace to see specifically what’s going on with the validation process. Hopefully that will yield some clues.

      Reply
  2. Al

     /  October 16, 2018

    hi, i setup a sstp server in windows 2012 r2 with a cert from a windows ca on a domain , i issued the certificate with subject name and san matching the public address if i use peap still getting error “not have server name specified”, if i use mschap2 then it works. any ideas?

    Reply
    • PEAP will require that the certificate match the internal hostname of the server, not the public name. Typically I’ll use two different certificates, one for PEAP and one for SSL. You might be able to add the server name to the SAN list and make it work, but it’s not something I’ve tried.

      Reply
  3. Colin

     /  November 20, 2018

    To use the certificate on multiple VPN servers is it required to make the private key exportable in the request? I did not upon my initial request so I am trying to do a new request from a second VPN server using your suggestions for SSTP but every time I submit the request it fails saying invalid parameter. I added CN, DNS, ECDSA_P256, Client and Server EKU, and marked the private key as exportable. I attempted this from both the server with the existing certificate and the new VPN server that has no certificate yet. Both fail with an invalid parameter error.

    Reply
    • It is possible to use the same certificate on more than one VPN server. If you’ve already successfully made a request on one server, no harm in exporting the certificate and importing on the other server.

      Reply
      • Colin

         /  November 20, 2018

        But it seems that the private key needs to be marked as exportable in the request prior to getting the initial cert. I cannot import to the other server through IIS because there is no private key and I can’t export the private key on the original server.

        I thought to myself, OK, I will just re-request it and mark it as exportable with new CSR but I for some reason cannot make a new request. It always says invalid parameter. I have tried on 3 servers and a client. Same error.

  4. Colin

     /  November 20, 2018

    I figured it out. I was selecting the wrong CSP type. Smart Card vs software. DOH!

    Reply
  5. Colin

     /  November 20, 2018

    BTW: You must mark the private key as exportable in your CSR or you cannot import it to another server in IIS.

    I’m good to go now.

    Reply
  6. Chris

     /  January 4, 2019

    Hi Richard

    Thanks for another great article!

    If we use a public certificate with ECC keys and EECDSA_P256 Microsoft Software Key Storage Provider, is it mandatory to have Forward Secrecy and Authenticated Encryption in place or can we use the certificate now and implement Forward Secrecy and Authenticated Encryption at a later date? I do plan on doing at the same time, just so I know either way 😊

    Thanks

    Chris

    Reply
  7. Daniel

     /  February 20, 2019

    Hi,

    We have also setup an SSTP tunnel. It connects and works fine, but only when server validation is removed from the SSTP profile (which is deployed via SCCM). We have tried selecting the correct root certificate to validate with, which I assume will be the public SSL provider as we are connecting to an SSTP session? We have tried our internal CA certificate too but that does not work either; turning off server side validation is the only way we can connect.

    Any thoughts would be very much appreciated.

    Thanks

    Danny

    Reply
    • I’d have to suspect there’s still some issue with the CRL then if disabling the revocation check makes it work. FYI, this is one of the reasons we recommend using public SSL certificates. 🙂

      Reply
  8. Patrick Pinto

     /  December 12, 2019

    We are currently using IKE for aovpn. Can we use sstp as a backup method on the same aovpn server but for manual connections? Meaning we would have a second vpn connector on the client and if aovpn didnt kick in for whatever reason they can still manually connect using sstp?

    Reply
  9. Simon Cote

     /  April 30, 2020

    HI Richard, I have a wildcard certificate from Comodo install in the lm store but the RRAS interface does not list it in the drop down. what could be missing?

    Reply
    • Most likely the private key. Make sure you import the certificate and private key (usually a PFX file) and you should see it in the drop-down list.

      Reply
  10. Hello Rich, I am considering getting a godaddy SSL certificate to setup SSTP on my windows 2016 server. If my vpn conneciton address is SSTP.Mydomain.com, then am I covered if i go for the cheapest option, which only covers 1 domain or subdomain without wildcards? many thanks, Krisen

    Reply
  11. ZW

     /  April 1, 2021

    So am I reading this (and other blog posts) correctly that you can make AOVPN work with SSLP and devices that aren’t domain-joined? We are looking into this with our fleet of Intune laptops.

    Reply
    • Absolutely. Always On VPN has no requirements to be domain-joined at all. As long as you are using Active Directory user accounts that are synced to Azure AD, you’ll have seamless SSO to on-premises resources. It really is the way to go!

      Reply
  12. Chris

     /  July 13, 2021

    For my understanding. The IPsec configuration settings are not in context with the SSTP certificate. That means even if I have RSA certificates for user and device tunnel in the IPsec configuration* I can still have a ECDSA public cert for SSTP?

    *
    AuthenticationTransformConstants : GCMAES128
    CipherTransformConstants : GCMAES128
    CustomPolicy : True
    DHGroup : Group14
    EncryptionMethod : AES256
    IntegrityCheckMethod : SHA256
    PFSgroup : ECP256

    I just need on the VPN server an internal published cert for IKEv2 with IP security IKE intermediate and Server Authentication and a public one for SSTP with Server Authentication if I use both protocols.

    Reply
    • That’s correct. The custom cryptography settings you referenced are for IPsec/IKEv2 only. SSTP uses TLS and that is negotiated separately from IKEv2. So yes, you can use RSA for IKEv2/IPsec, and ECDSA for SSTP (with an ECDSA TLS certificate installed on the VPN server).

      Reply
  13. Do you happen to know the full HTTPS URL that SSTP clients connect to? (e.g. https://vpn.domain.com/sttpvpn…?)

    Reply
  1. Always On VPN Routing Configuration | Richard M. Hicks Consulting, Inc.
  2. Always On VPN ECDSA SSL Certificate Request for SSTP | Richard M. Hicks Consulting, Inc.
  3. Troubleshooting Always On VPN Error Code 0x80092013 | Richard M. Hicks Consulting, Inc.
  4. Always On VPN SSTP Load Balancing and SSL Offload | Richard M. Hicks Consulting, Inc.
  5. Always On VPN SSTP Connects then Disconnects | Richard M. Hicks Consulting, Inc.
  6. Always On VPN IKEv2 Features and Limitations | Richard M. Hicks Consulting, Inc.
  7. Always On VPN SSTP Load Balancing with F5 BIG-IP | Richard M. Hicks Consulting, Inc.
  8. Always On VPN SSTP Load Balancing with Kemp LoadMaster | Richard M. Hicks Consulting, Inc.
  9. Always On VPN SSTP Load Balancing with Citrix NetScaler ADC | Richard M. Hicks Consulting, Inc.
  10. Always On VPN SSTP Certificate Binding Error | Richard M. Hicks Consulting, Inc.

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading