As I’ve discussed previously, it is strongly recommended that the TLS certificate used for SSTP on Windows Server RRAS use an Elliptic Curve Cryptography (ECC) key. ECC provides better security and performance than RSA keys for Windows 10 Always On VPN connections using SSTP. See my previous post, Always On VPN SSL Certificate Requirements for SSTP, for more information.
Certificate Signing Request
To generate a Certificate Signing Request (CSR) using an ECC key to send to a public Certification Authority (CA) using Windows, open the local computer certificate store (certlm.msc) on any Windows server or client and follow the steps below.
Note: Guidance for creating a CSR with ECC using OpenSSL can be found at the end of this post.
- Expand Certificates – Local Computer.
- Right-click the Personal folder and choose All Tasks > Advanced Operations > Create Custom Request.
- Click Next.
- Select Proceed without enrollment policy.
- Click Next.
- From the Template drop-down list choose (No template) CNG key.
- Click Next.
- Click Details.
- Click Properties.
- On the General tab enter a name in the Friendly name field.
- Click on the Subject tab.
- In the Subject name section, from the Type drop-down list choose Common name.
- In the Value field enter the VPN server’s public hostname and click Add.
- In the Alternative name section, from the Type drop-down list choose DNS.
- In the Value field enter the VPN server’s public hostname and click Add.
- Click on the Extensions tab.
- Expand Extended Key Usage (application policies).
- Highlight Server Authentication.
- Click Add.
- Click on the Private Key tab.
- Expand Cryptographic Service Provider.
- Uncheck RSA,Microsoft Software Key Storage Provider.
- Check ECDSA_P256,Microsoft Software Key Storage Provider.
- Expand Key options.
- Select the option to Make private key exportable.
- Select the option to Make private key exportable.
- Click Ok.
- Click Next.
- Enter a name for the file in the File Name field.
- Click Finish.
Certreq
Installing the TLS certificate for Always On VPN SSTP on a Windows Server Core server will require using certreq.exe. First, using notepad.exe, create a certificate request configuration file that includes the following information. Save it with a .INF file extension.
[NewRequest]
Subject = “CN=vpn.example.net”
FriendlyName = vpn.example.net
KeyAlgorithm = ECDSA_P256
KeyLength = 256
MachineKeySet = True
Exportable = TRUE
[Extensions]
2.5.29.17 = “{text}”
_continue_ = “dns=vpn.example.net&”
Next, create the CSR file by opening an elevated command window and running the following command.
certreq.exe -new .\newcert.inf .\newcert.csr
OpenSSL
If the TLS certificate for Always On VPN SSTP will be installed on a load balancer or other security device, creating the CSR using OpenSSL may be required. Use the following commands to generate a CSR with ECDA using OpenSSL.
openssl ecparam -out aovpn_sstp.key -name prime256v1 -genkey
openssl req -new -key aovpn_sstp.key -out aovpn_sstp.csr -sha256
Submit the Request
Once complete, submit the CSR for signing to your favorite public CA. Based on my experience, some CAs are easier to obtain ECC certificates than others. Today, Digicert seems to be one of the better public CAs for obtaining ECC TLS certificates.
Complete the Request
Once the CA has issued the certificate, import the certificate into the local computer certificate store on the same client or server where the original CSR was created. The certificate can then be exported and imported on additional VPN servers if required.
Tony
/ August 20, 2018Hi Richard, can this be used for the IKEv2 Certificate as well? As I want to combine SSL and IKEv2 Certificate as one public certificate.
Thanks
Tony
Richard M. Hicks
/ August 25, 2018The IKEv2 certificate should not be issued by a public CA. It should be issued by an internal CA as it is used to map your users to their accounts in Active Directory.
Chris
/ January 4, 2019Hi Richard
In the certificate signing request properties on the extensions tab, in the ‘Extended Key Usage’ section do we need to select server authentication?
Also on the Private key tab under ‘Key Options’ do we need to tick ‘Make private key exportable’ as we have a number of VPN servers that need the public cert
Thanks
Chris
Richard M. Hicks
/ January 5, 2019You can certainly do those things, yes. However, in my experience most Certification Authorities will include both Server Authentication and Client Authenticate regardless. They’ll usually mark them as exportable too. However, I will update the post to include those settings for completeness. 🙂
Chris
/ January 7, 2019Thanks again Richard 🙂
vebassey
/ September 25, 2019Great insight Richard. Can we use ecc certs for Ikev2 vpn, also must the internal root CA be using ECC cert rather than RSA?
Richard M. Hicks
/ October 7, 2019Absolutely. EC certificates with IKEv2 are an excellent way to improve security and performance. The issuing CA must be configured with an EC certificate of course, but that’s about it.
beigewell
/ January 29, 2020I keep receiving this error on the client “IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store”. When using ECDSA certs algorithm is SHA384ECDSA do I need to specify something on the VPN server? The cert is internal and the CA is trusted
Richard M. Hicks
/ January 30, 2020You can use ECDSA for IKEv2 VPN as long as you are using ECDSA on both sides, the client and the server. If you are getting the message “failed to find a valid machine certificate” it means that either the client or the server doesn’t have a certificate capable of supporting IKEv2 in your configuration. Also, make sure you specify the correct root certificate if you have configured that option.
beigewell
/ January 30, 2020thanks Richard definitely using it the same on both sides as they use the same Root CA. I am specifying the top Root CA rather than the Issuing or Intermediate. I am hoping the issue is that the Key Usage Digital Encipherment was missing so am getting it reissued.
Richard M. Hicks
/ February 3, 2020Ok, let me know if you have any success!
Christian
/ February 3, 2020yep that worked reissue of the cert and adding Key Usage Digital Encipherment worked. Now I just cannot get the policy to match for the Template in makeprofile. Are there any restrictions in the amount of intermediate certs to the Root (we have 2 then the root)? I keep getting “dialed a connection named Template which has failed. The error code returned on failure is 13868”. Server settings are the default as are the Windows 10 client 1909. So can’t see what the issue would be in the first instance.
Richard M. Hicks
/ February 3, 2020Great to hear! The VPN error 13868 is an IPsec policy mismatch error, which would not affect SSTP. It would only affect IKEv2 connections. If you are using the default settings on both sides, server and client, you should not encounter this issue. If you’ve made changes to the IPsec policy for IKEv2 VPN connections on either the client and the server, they must match exactly. More details here: https://directaccess.richardhicks.com/2019/09/02/always-on-vpn-ikev2-policy-mismatch-error/.