Renew DirectAccess Self-Signed Certificates

Renew DirectAccess Self-Signed CertificatesImportant! Updated July 15, 2019 to support all versions of Windows Server including Windows Server 2012 and 2012 R2. Also added functionality to renew self-signed certificates individually.

When DirectAccess is deployed using the Getting Started Wizard (GSW), sometimes referred to as the “simplified deployment” method, self-signed certificates are created during the installation and used for the IP-HTTPS IPv6 transition technology, the Network Location Server (NLS), and for RADIUS secret encryption. Administrators may also selectively choose to use self-signed certificates for IP-HTTPS, or when collocating the NLS on the DirectAccess server. The RADIUS encryption certificate is always self-signed.

Renew DirectAccess Self-Signed Certificates

Certificate Expiration

These self-signed certificates expire 5 years after they are created, which means many DirectAccess administrators who have used this deployment option will need to renew these certificates at some point in the future. Unfortunately, there’s no published guidance from Microsoft on how to accomplish this. However, the process is simple enough using PowerShell and the New-SelfSignedCertificate cmdlet.

PowerShell Script on GitHub

The PowerShell script to renew DirectAccess self-signed certificates has been published on GitHub. You can download Renew-DaSelfSignedCertificates.ps1 here.

Important Considerations

When the IP-HTTPS and NLS scripts above are executed, DirectAccess clients outside will be immediately disconnected and will be unable to reconnect until they update group policy (the RADIUS encryption certificate can be updated without impacting users). This will require connecting to the internal network locally or remotely using another VPN solution. In addition, internal clients that are not online when this change is made will be unable to access internal resources by name until they update group policy. If this happens, delete the Name Resolution Policy Table (NRPT) on the client using the following PowerShell command and reboot to restore connectivity.

Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false

Additional Information

PowerShell Recommended Reading for DirectAccess Administrators

Top 5 DirectAccess Troubleshooting PowerShell Commands

 

 

Leave a comment

19 Comments

  1. jonbd

     /  July 1, 2019

    Thanks for this post, the certs on my inherited 2012 R2 DA server have expired so so this is very helpful! I’m getting the following error trying to run it though “a parameter cannot be found that matches parameter name ‘-FriendlyName'” Any ideas why that might be?

    Reply
    • Unusual. Sometimes odd errors can come up if you copied/pasted the code right from the article. If you haven’t already done so, I recommended downloading the script from my GitHub repository here: https://github.com/richardhicks/directaccess/blob/master/Renew-DaSelfSignedCertificates.ps1. Let me know if that helps!

      Reply
      • jonbd

         /  July 1, 2019

        I’ve read that Server 2012 R2 doesn’t have as many parameters as 2016, one of them being -friendlyname, so i’ve given up on that for now. Instead i’ve created a new certificate from my CA server, but for some reason when I run through the wizard to add it, when I click on finish, it gives me an error “DNS name does not exist” and when I check DNS, the A record for it has been deleted. It deletes it every time I add it and run finish to apply the settings. Any idea what could be causing this?

      • Ok, that makes sense. I may have only tested on Windows Server 2016 so that might explain the failure. I will definitely go back and test again to see what can be done for Windows Server 2012 R2. No idea why DirectAccess would be deleting your DNS record. Does this happen even if you’ve added the record manually as a static entry?

      • jonbd

         /  July 1, 2019

        Yes I add the NLS entry as a static A record and it deletes it every time for some reason!

      • Wow, that is definitely unusual! It will certainly happen if you *remove* DirectAccess, but it should not happen when you are simply updating the certificate. You might want to try adjusting the security ACL on the DNS record to prevent the DirectAccess server from removing it. Not ideal, but hopefully it works. 🙂

      • jonbd

         /  July 2, 2019

        It’s almost like the DA server is clearing out the DNS record for the self signed cert, but then can’t see the DNS entry for the new one as it’s the same record it’s just deleted. In the end I set up a new VM with IIS as the NLS and pointed it to that. I’m up and running again now!

      • Having the NLS on a separate server is a good idea anyway. 🙂

  2. Stefan

     /  July 9, 2019

    Hi Richard,
    thank you for this post!
    as our self-signed DA certs will expire end of month, i searched the web for renewal and found your site and script.

    But i´m not able to run it, breaks at sign 166 with
    unexpected token: $newcert

    any idea on this ?

    Unerwartetes Token “$newcert” in Ausdruck oder Anweisung.
    + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

    best regards
    Stefan

    Reply
  3. NIck

     /  October 14, 2019

    so, my certificate expired for my NLS, am I reading correctly that I will orphan my remote computers by updating the certificate?

    Reply
    • No, an expired NLS certificate will have no effect on DirectAccess clients in the field. However, if you renew the IP-HTTPS certificate using the guidance in this post, you will indeed orphan DirectAccess clients until they can update group policy.

      Reply
  4. Petr

     /  November 13, 2019

    We use in DA configuration public certificate. But in certificate store is selfsign certificate DirectAccess-RADIUS-Encrypt-servername.domain.se which will expire soon. Do we need to issue new certificate? I read article that it is used only for OTP and if OTP is not in use we don’t need to renew this certificate. Is this true? Thank you

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: