Always On VPN SSTP Certificate Renewal

Windows Server Routing and Remote Access Service (RRAS) is popular for Always On VPN deployments because it supports the Secure Socket Tunneling Protocol (SSTP). The SSTP VPN protocol is recommended for use with the Always On VPN user tunnel because it is firewall friendly. Installing a TLS certificate on the VPN server is necessary to support SSTP VPN connections. Administrators should use a TLS certificate signed by a public certification authority (CA) for optimal reliability and performance.

Click here to view a video demonstration of the procedures outlined in this article.

Certificate Expiration

Of course, all certificates expire, and the TLS certificate used for SSTP is no exception. When using a public TLS certificate, the certificate lifetime is typically no more than one year, which means Always On VPN administrators will be renewing this certificate regularly.

Certificate Renewal

The process of “renewing” an SSTP TLS certificate is essentially the same as installing a new one, as it is best to create a new public/private key pair when renewing a certificate. The following outlines the steps required to generate a Certificate Signing Request (CSR), import the certificate, then assign the certificate to the SSTP listener on the VPN server.

Note: The guidance provided here assumes using an ECC certificate, which is best for optimal security and performance. More details here.

Certificate Request

Open the local computer certificate store (certlm.msc) on the VPN server and perform the following steps to generate a new CSR.

  1. Expand Certificates – Local Computer > Personal.
  2. Right-click the Certificates folder and choose All Tasks > Advanced Operations > Create Custom Request.
  3. Click Next.
  4. Highlight Proceed without enrollment policy.
  5. Click Next.
    1. Select (No template) CNG key from the Template drop-down list.
    2. Select PKCS #10 in the Request format section.
    3. Click Next.
  6. Click on the down arrow next to Details.
    Always On VPN ECDSA SSL Certificate Request for SSTP
  7. Click on the Properties button.
  8. Select the General tab.
    1. Enter the public hostname for the certificate in the Friendly name field.
  9. Select the Subject tab.
    1. Select Common name from the Type drop-down list in the Subject name section.
    2. Enter the public hostname for the certificate in the Value field.
    3. Click Add.
    4. In the Alternative name section, select DNS from the Type drop-down list.
    5. Enter the public hostname for the certificate in the Value field.
    6. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  10. Select the Extensions tab.
    1. Expand the Extended Key Usage section.
    2. Select Server Authentication from the Available options section.
    3. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  11. Select the Private Key tab.
    1. Expand the Cryptographic Service Provider section.
      1. Uncheck the box next to RSA,Microsoft Software Key Storage Provider.
      2. Check the box next to ECDSA_P256,Microsoft Software Key Storage Provider.
    2. Expand the Key options section.
      1. Check the box next to Make private key exportable.
        Always On VPN ECDSA SSL Certificate Request for SSTP
  12. Click Ok.
  13. Click Next.
  14. Enter a name for the file in the File Name field.
  15. Select Base 64 in the File format section.
  16. Click Finish.

Import Certificate

Once complete, submit the file created to a public CA for signing. When the CA returns the signed certificate, perform the following steps to import it to the local compute certificate store.

  1. Right-click the Certificates folder and choose All Tasks > Import.
  2. Click Next.
  3. Enter the name of the certificate file returned by the public CA in the File name field.
  4. Click Next.
  5. Select Place all certificates in the following store and ensure that Personal is listed in the Certificate store field.
  6. Click Next.
  7. Click Finish.
  8. Click Ok.

Assign Certificate

After importing the new TLS certificate in the local computer’s certificate store, open the Routing and Remote Access management console (rrasmgmt.msc) and perform the following steps to assign the TLS certificate to the SSTP listener.

  1. Right-click the VPN server and choose Properties.
  2. Select the Security tab.
    1. Select the new TLS certificate from the Certificate drop-down list in the SSL Certificate Binding section. When replacing an existing certificate, you may see a certificate with the same name more than once. Click the View button and ensure the new certificate is selected.
    2. Click Ok.
    3. Click Yes to restart the RemoteAccess service.

Demonstration Video

A recorded video demonstration of this process can be found here. The video recording also includes guidance for making these changes on Windows Server Core servers.

Additional Information

Installing or Renewing an SSL/TLS Certificate on Windows Server for Always On VPN and SSTP.

Microsoft Windows Always On VPN SSTP Security Configuration

Microsoft Windows Always On VPN SSL Certificate Requirements for SSTP

Microsoft Windows Always On VPN ECDSA TLS Certificate Request for SSTP

Microsoft Windows Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN and TLS 1.3

Secure Socket Tunneling Protocol (SSTP) is a Microsoft-proprietary VPN protocol with several advantages over Internet Key Exchange version 2 (IKEv2) for Always On VPN user tunnel connections. SSTP uses HTTP with Transport Layer Security (TLS) to encrypt communication between the Always On VPN client and the VPN gateway. SSTP is very firewall-friendly, with VPN connections operating on the commonly open TCP port 443, resulting in more consistent VPN availability. SSTP throughput is better compared to IKEv2 as well.

Learn more about TLS with Practical TLS, a comprehensive online video training course.

TLS and Windows Server

For versions of Windows Server before Windows Server 2022, the out-of-the-box security for TLS is not ideal. TLS is notoriously complex to configure, with myriad options for administrators to choose from. However, with the release of Windows Server 2022 and Windows 11, Microsoft has introduced support for the latest TLS specification, TLS 1.3, which eases much of this configuration pain.

TLS 1.3

TLS 1.3 provides significant advantages for Always On VPN SSTP user tunnel connections in security and performance.

Security

TLS 1.3 is greatly simplified and offers only five cipher suites, all considered secure by today’s standards. In addition, all TLS 1.3 ciphers support forward secrecy, ensuring the privacy of communication even in the event of a server private key compromise.

Performance

The TLS handshake in TLS 1.3 is streamlined and requires less back-and-forth (round trips) to establish a connection. TLS 1.3 speeds connection establishment for new Always On VPN user tunnel connections.

Caveat

Adding support for TLS 1.3 on the server-side is a compelling reason to consider upgrading existing Windows Server Routing and Remote Access Service (RRAS) servers to Windows Server 2022. However, TLS 1.3 support for SSTP also requires Windows 11 on the client-side. TLS 1.3 is not currently supported in Windows 10.

Summary

Realizing the performance benefits provided by TLS 1.3 will likely only occur in large environments supporting many thousands of concurrent connections per server. However, the security benefits apply to all deployments, regardless of size. Administrators should consider upgrading to Windows Server 2022 before proceeding with Windows 11 adoption.

Additional Information

Practical TLS: A Deep Dive into SSL and TLS Online Video Training Course

Always On VPN SSTP Security Configuration

Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN TLS Certificate Requirements for SSTP

TLS Protocol Version Support in Windows

TLS Cipher Suites in Windows Server 2022

A Detailed Look at TLS 1.3

TLS Cipher Suite Reference

RFC8446 TLS 1.3

%d bloggers like this: