Always On VPN ECDSA SSL Certificate Request for SSTP

As I’ve discussed previously, it is strongly recommended that the TLS certificate used for SSTP be signed using the Elliptic Curve Digital Signature Algorithm (ECDSA). ECDSA provides better security and performance compared to RSA certificates for Windows 10 Always On VPN connections using SSTP. See my previous post Always On VPN SSL Certificate Requirements for SSTP for more information.

Certificate Signing Request

To generate a Certificate Signing Request (CSR) using ECDSA to send to a public Certification Authority (CA) using Windows, open the local computer certificate store (certlm.msc) on any Windows server or client and follow the steps below.

Note: Guidance for creating a CSR with ECDSA using OpenSSL can be found at the end of this post.

  1. Expand Certificates – Local Computer.
  2. Right-click the Personal folder and choose All Tasks > Advanced Operations > Create Custom Request.
  3. Click Next.
  4. Select Proceed without enrollment policy.
  5. Click Next.
  6. From the Template drop-down list choose (No template) CNG key.
  7. Click Next.
  8. Click Details.Always On VPN ECDSA SSL Certificate Request for SSTP
  9. Click Properties.
  10. On the General tab enter a name in the Friendly name field.
  11. Click on the Subject tab.
    1. In the Subject name section, from the Type drop-down list choose Common name.
    2. In the Value field enter the VPN server’s public hostname and click Add.
    3. In the Alternative name section, from the Type drop-down list choose DNS.
    4. In the Value field enter the VPN server’s public hostname and click Add.Always On VPN ECDSA SSL Certificate Request for SSTP
  12. Click on the Extensions tab.
    1. Expand Extended Key Usage (application policies).
    2. Highlight Server Authentication.
    3. Click Add.Always On VPN ECDSA SSL Certificate Request for SSTP
  13. Click on the Private Key tab.
    1. Expand Cryptographic Service Provider.
    2. Uncheck RSA,Microsoft Software Key Storage Provider.
    3. Check ECDSA_P256,Microsoft Software Key Storage Provider.Always On VPN ECDSA SSL Certificate Request for SSTP
  14. Expand Key options.
    1. Select the option to Make private key exportable.Always On VPN ECDSA SSL Certificate Request for SSTP
  15. Click Ok.
  16. Click Next.
  17. Enter a name for the file in the File Name field.
  18. Click Finish.

OpenSSL

If the TLS certificate for Always On VPN SSTP will be installed on a load balancer or other security device, creating the CSR using OpenSSL may be required. Use the following commands to generate a CSR with ECDA using OpenSSL.

openssl ecparam -out aovpn_sstp.key -name prime256v1 -genkey
openssl req -new -key aovpn_sstp.key -out aovpn_sstp.csr -sha256

Submit the Request

Once complete, submit the CSR for signing to your favorite public CA. Based on my experience, some CAs are easier to obtain ECDSA-signed certificates than other. Today, Digicert seems to be one of the better public CAs for obtaining EC TLS certificates.

Complete the Request

Once the CA has issued the certificate, import the certificate in to the local computer certificate store on the same client or server where the original CSR was created. The certificate can then be exported and imported on additional VPN servers, if required.

Additional Information

Always On VPN SSL Certificate Requirements for SSTP

Always On VPN Protocol Recommendations for RRAS

 

 

Leave a comment

17 Comments

  1. Tony

     /  August 20, 2018

    Hi Richard, can this be used for the IKEv2 Certificate as well? As I want to combine SSL and IKEv2 Certificate as one public certificate.

    Thanks
    Tony

    Reply
    • The IKEv2 certificate should not be issued by a public CA. It should be issued by an internal CA as it is used to map your users to their accounts in Active Directory.

      Reply
  2. Chris

     /  January 4, 2019

    Hi Richard

    In the certificate signing request properties on the extensions tab, in the ‘Extended Key Usage’ section do we need to select server authentication?

    Also on the Private key tab under ‘Key Options’ do we need to tick ‘Make private key exportable’ as we have a number of VPN servers that need the public cert

    Thanks

    Chris

    Reply
    • You can certainly do those things, yes. However, in my experience most Certification Authorities will include both Server Authentication and Client Authenticate regardless. They’ll usually mark them as exportable too. However, I will update the post to include those settings for completeness. 🙂

      Reply
  3. vebassey

     /  September 25, 2019

    Great insight Richard. Can we use ecc certs for Ikev2 vpn, also must the internal root CA be using ECC cert rather than RSA?

    Reply
    • Absolutely. EC certificates with IKEv2 are an excellent way to improve security and performance. The issuing CA must be configured with an EC certificate of course, but that’s about it.

      Reply
  4. beigewell

     /  January 29, 2020

    I keep receiving this error on the client “IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store”. When using ECDSA certs algorithm is SHA384ECDSA do I need to specify something on the VPN server? The cert is internal and the CA is trusted

    Reply
    • You can use ECDSA for IKEv2 VPN as long as you are using ECDSA on both sides, the client and the server. If you are getting the message “failed to find a valid machine certificate” it means that either the client or the server doesn’t have a certificate capable of supporting IKEv2 in your configuration. Also, make sure you specify the correct root certificate if you have configured that option.

      Reply
      • thanks Richard definitely using it the same on both sides as they use the same Root CA. I am specifying the top Root CA rather than the Issuing or Intermediate. I am hoping the issue is that the Key Usage Digital Encipherment was missing so am getting it reissued.

      • Ok, let me know if you have any success!

      • Christian

         /  February 3, 2020

        yep that worked reissue of the cert and adding Key Usage Digital Encipherment worked. Now I just cannot get the policy to match for the Template in makeprofile. Are there any restrictions in the amount of intermediate certs to the Root (we have 2 then the root)? I keep getting “dialed a connection named Template which has failed. The error code returned on failure is 13868”. Server settings are the default as are the Windows 10 client 1909. So can’t see what the issue would be in the first instance.

      • Great to hear! The VPN error 13868 is an IPsec policy mismatch error, which would not affect SSTP. It would only affect IKEv2 connections. If you are using the default settings on both sides, server and client, you should not encounter this issue. If you’ve made changes to the IPsec policy for IKEv2 VPN connections on either the client and the server, they must match exactly. More details here: https://directaccess.richardhicks.com/2019/09/02/always-on-vpn-ikev2-policy-mismatch-error/.

  1. Always On VPN SSL Certificate Requirements for SSTP | Richard M. Hicks Consulting, Inc.
  2. Troubleshooting Always On VPN Error Code 0x80092013 | Richard M. Hicks Consulting, Inc.
  3. Always On VPN SSTP Load Balancing with F5 BIG-IP | Richard M. Hicks Consulting, Inc.
  4. Always On VPN SSTP Load Balancing with Kemp LoadMaster | Richard M. Hicks Consulting, Inc.

Leave a Reply to Chris Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: