Always On VPN SSTP and 47-Day TLS Certificates

The Secure Socket Tunneling Protocol (SSTP) VPN protocol uses Transport Layer Security (TLS) encryption and HTTP transport over TCP port 443. SSTP is easy to configure and firewall-friendly, making it an excellent choice for the Always On VPN user tunnel. Security best practices dictate using a TLS certificate issued by a public Certification Authority (CA). Today, the maximum lifetime of a public TLS certificate is 398 days (approximately 1 year). Always On VPN administrators using SSTP are familiar with the process of renewing their SSTP certificate annually. However, that’s about to change.

47 Days

In April of this year, the CA/Browser Forum, a voluntary consortium of public CAs, browser vendors, and other industry stakeholders that develop and promote security standards and best practices for digital certificates and Public Key Infrastructure (PKI), adopted a measure reducing the current maximum lifetime of public TLS certificates to 47 days. This means Always On VPN administrators using public TLS certificates must eventually update their TLS certificates monthly.

Automation

Of course, no administrator in their right mind would want to renew SSTP certificates every month. Automating this process will be crucial to ensuring reliability and reducing management overhead. I’ll provide more details later in this post.

Why Is This Happening?

The industry has been trending toward shorter certificate lifetimes for a while now. In the old days, you could purchase a certificate valid for 5 years or more. Today, a one-year certificate is all you can get. Let’s Encrypt, a public CA that issues certificates for free, issues only 90-day lifetime certificates.

Advantages

The advantage of using short-lived certificates for public TLS certificates is that they improve security and provide agility for future changes. Public TLS certificates become less secure and trustworthy over time. The longer a certificate is valid, the less trustworthy it becomes and the longer the opportunity for an attacker to leverage a certificate for which the private key has been compromised.

Why 47 Days?

A 47-day maximum certificate lifetime allows administrators to rotate their certificates monthly (a maximum of 31 days plus some margin to resolve issues).

Not So Fast

The good news for Always On VPN administrators using SSTP with public TLS certificates is that they won’t have to worry about this immediately. The reduction in maximum certificate lifetime to 47 days takes place gradually over a few years.

  • Today, the maximum public TLS certificate lifetime is 398 days
  • On March 15, 2026, the maximum public TLS certificate lifetime will be reduced to 200 days
  • On March 15, 2027, the maximum public TLS certificate lifetime will be reduced to 100 days
  • On March 15, 2029, the maximum public TLS certificate lifetime will be reduced to 47 days

Let’s Encrypt

Over the years, I’ve deployed Always On VPN with SSTP for several customers using Let’s Encrypt TLS certificates. Let’s Encrypt is a pubic CA that issues certificates with a maximum lifetime of 90 days, so automating this task is essential. Let’s Encrypt supports ACME, a standard protocol for automating the issuance and renewal of TLS certificates, which makes automating TLS certificate installation and renewal a breeze.

Sample Script

I’ve published a sample PowerShell script demonstrating how to automate the enrollment process for Let’s Encrypt TLS certificates. It leverages the Posh-ACME PowerShell module and my AOVPNTools module to enroll and automatically install a TLS certificate for SSTP. This script will also work for DirectAccess. You can find the sample script here.

Note: My sample script demonstrates using the Cloudflare DNS plugin for Posh-ACME. Posh-ACME has plugins for many public DNS providers, which can be found here. Feel free to customize my script to meet your specific needs.

Act Now

Always On VPN administrators are advised to consider solutions to automate TLS certificate enrollment and renewal as soon as possible. If your public CA of choice doesn’t support some form of certificate automation like ACME, it’s time to find another provider.

Summary

Starting in March 2026, the maximum lifetime for public TLS certificates will be reduced gradually, reaching just 47 days by March 2029. Automation will no longer be optional for Always On VPN administrators using SSTP—it will be essential. Tools like the Posh-ACME PowerShell module provide a reliable solution to streamline certificate management and ensure uninterrupted connectivity. Now is the time to prepare for this industry shift by implementing automated certificate renewal solutions. If you’d like professional assistance with this task or simply want to learn more about your options, drop me a note via the contact page, and I’ll respond with more information.

Additional Information

TLS Certificate Lifetimes Will Officially Reduce to 47 Days – DigiCert

Posh-ACME PowerShell Module

Posh-ACME Documentation

Always On VPN Tools (AOVPNTools) PowerShell Module

November Microsoft Security Updates and AD CS

As I do each month on Patch Tuesday, I look through the list of published vulnerabilities in search of things that might interest Always On VPN Administrators. Frequently there are updates for things like Routing and Remote Access Service (RRAS) or various VPN protocols. The good news is that the November 2024 security updates include NO such vulnerabilities! However, a vulnerability has been disclosed that affects Active Directory Certificate Services (AD CS) on which Always On VPN often relies on for user and device authentication.

Certificate Templates

AD CS Enterprise certificate authorities are closely integrated with Active Directory and use certificate templates that administrators can publish for users and devices to enroll. These templates control properties of the issued certificates, such as the subject name, usage, key length, enrollment policies, and much more. There are several different template versions available, versions 1 through 4. Version 1 templates are legacy templates that don’t provide many capabilities. Later versions include more features and capabilities.

CVE-2024-49019

The November 2024 Microsoft security updates include CVE-2024-49019, a privilege escalation vulnerability recently discovered in AD CS. Specifically, this vulnerability affects only legacy schema version 1 certificate templates published on a certificate authority (CA) server that include the option to supply the subject name in the certificate request. A typical example of this would be the default Web Server template.

Exploitation

The Web Server template does not include the Client Authentication Enhanced Key Usage (EKU) by default, which is required to authenticate to Active Directory. However, this vulnerability allows an attacker with enrollment privileges on this template to supply additional EKUs in the request and the certificate issued will include those capabilities. This allows a non-privileged attacker to quickly elevate to a domain or enterprise administrator by supplying a known administrator’s User Principal Name (UPN) along with the Client Authentication EKU in the certificate request. As version 1 templates cannot enforce CA manager approval for enrollment, an attacker can easily leverage this vulnerability if permissions allow, leading to complete domain compromise.

Note: This applies to any schema version 1 certificate template published with the subject name supplied in the request, not just the Web Server template.

Complications

Making matters worse, the Web Server template is one of the default certificate templates published automatically when a Windows Server CA is deployed. The best practice is to disable the publishing of any certificate templates by default when a new CA is provisioned. However, it requires additional configuration that is often overlooked. In addition, many administrators use overly broad enrollment permissions for this template, such as Domain Users, Domain Computers, or Authenticated Users, further broadening the attack surface.

Mitigation

Administrators should update their CA servers as soon as possible. If you cannot deploy this update immediately, consider replacing any schema version 1 templates with version 2 templates, which are not vulnerable. Also, as best practice, ensure that any certificate templates that allow the subject name to be supplied in the request also requires CA manager approval or additional authorized signatures for enrollment.

Investigation

Administrators should review enrollment privileges for all published certificate templates to ensure the least privileged access. In addition, administrators should audit all valid certificates issued with schema version 1 certificate templates that allow the subject name to be supplied in the request immediately to look for indicators of compromise. Review issued certificates for unauthorized EKUs or unusual subject names, especially those with a UPN.

Additional Information

Microsoft November 2024 Security Updates

CVE-2024-49019 – AD CS Elevation of Privilege Vulnerability

EKUwu: Not Just Another AD CS ESC – TrustedSec

Delete A Cloud PKI for Intune Certificate Authority

Deleting an Always On VPN Device Tunnel

When Microsoft first introduced Cloud PKI for Intune, the solution did not allow administrators to delete a CA after it was created. As you are limited to just six Cloud PKI for Intune CAs, this was quite frustrating, especially during the testing and evaluation phase, where you may need to spin up a few instances before you decide on the features you need.

Are you interested in learning more about Cloud PKI for Intune? Register for my upcoming online training course, Mastering Certificates with Microsoft Intune. This three-day comprehensive, deep-dive course covers all aspects of issuing and managing certificates with Intune, including provisioning and managing Cloud PKI for Intune. Click here to learn more.

Delete Cloud PKI

Thankfully, Microsoft eventually realized this shortcoming and added this much needed feature a few months ago. However, removing an Intune Cloud PKI CA requires administrators to follow some specific steps to remove a CA successfully. Since Cloud PKI for Intune uses a two-tier deployment model, administrators must remove the issuing CA first and then the root CA if required.

Issuing CA

Follow the steps below to delete a Cloud PKI for Intune issuing CA.

Intune Policies

Be sure to delete any Intune device configuration policies relating to Cloud PKI for Intune before decommissioning a Cloud PKI for Intune CA. This includes trusted certificate policies, Wi-Fi policies, and VPN policies.

Pause CA

The first step of deleting a Cloud PKI for Intune CA is to pause the service. Pausing the service prevents new certificates from being issued while the administrator completes the remaining retirement tasks. Open the Intune portal (https://intune.microsoft.com), navigate to Tenant Administration > Cloud PKI, and click the CA to be deleted. Next, click Pause to pause the CA.

Revoke Certificates

Administrators must revoke all issued certificates before deleting the issuing CA. Click on any issued certificate to view its properties and then click the Revoke button, as shown here.

Complete this step for each certificate issued and active on the CA.

Note: It takes some time before the certificate status shows Revoked in the management console. Be patient!

Revoke CA Certificate

Once the administrator has revoked all issued certificates, click Revoke to revoke the issuing CA’s certificate.

Delete CA

Once the issuing CA certificate has been revoked the administrator will now have the option to delete the Cloud PKI for Intune issuing CA.

Root CA

After the administrator deletes the issuing CA, the root CA can be removed if necessary. Click on the root CA and click the Delete button.

Additional Information

Delete Microsoft Cloud PKI Certification Authority

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Microsoft Cloud PKI for Intune and Certificate Templates

Microsoft Cloud PKI for Intune and Active Directory

Microsoft Cloud PKI for Intune SCEP URL

Microsoft Cloud PKI for Intune on RunAs Radio