As I’ve discussed previously, it is strongly recommended that the TLS certificate used for SSTP on Windows Server RRAS use an Elliptic Curve Cryptography (ECC) key. ECC provides better security and performance than RSA keys for Windows 10 Always On VPN connections using SSTP. See my previous post, Always On VPN SSL Certificate Requirements for SSTP, for more information.

Certificate Signing Request

To generate a Certificate Signing Request (CSR) using an ECC key to send to a public Certification Authority (CA) using Windows, open the local computer certificate store (certlm.msc) on any Windows server or client and follow the steps below.

Note: Guidance for creating a CSR with ECC using OpenSSL can be found at the end of this post.

1. Expand Certificates – Local Computer.
2. Right-click the Personal folder and choose All Tasks > Advanced Operations > Create Custom Request.
3. Click Next.
4. Select Proceed without enrollment policy.
5. Click Next.
6. From the Template drop-down list choose (No template) CNG key.
7. Click Next.
8. Click Details.
9. Click Properties.
10. On the General tab enter a name in the Friendly name field.
11. Click on the Subject tab.
    1. In the Subject name section, from the Type drop-down list choose Common name.
    2. In the Value field enter the VPN server’s public hostname and click Add.
    3. In the Alternative name section, from the Type drop-down list choose DNS.
    4. In the Value field enter the VPN server’s public hostname and click Add.
12. Click on the Extensions tab.
    1. Expand Extended Key Usage (application policies).
    2. Highlight Server Authentication.
    3. Click Add.
13. Click on the Private Key tab.
    1. Expand Cryptographic Service Provider.
    2. Uncheck RSA,Microsoft Software Key Storage Provider.
    3. Check ECDSA_P256,Microsoft Software Key Storage Provider.
14. Expand Key options.
    1. Select the option to Make private key exportable.
15. Click Ok.
16. Click Next.
17. Enter a name for the file in the File Name field.
18. Click Finish.

Certreq

Installing the TLS certificate for Always On VPN SSTP on a Windows Server Core server will require using certreq.exe. First, using notepad.exe, create a certificate request configuration file that includes the following information. Save it with a .INF file extension.

[NewRequest]
Subject = “CN=vpn.example.net”
FriendlyName = vpn.example.net
KeyAlgorithm = ECDSA_P256
KeyLength = 256
MachineKeySet = True
Exportable = TRUE

[Extensions]
2.5.29.17 = “{text}”
_continue_ = “dns=vpn.example.net&”

Next, create the CSR file by opening an elevated command window and running the following command.

certreq.exe -new .\newcert.inf .\newcert.csr

OpenSSL

If the TLS certificate for Always On VPN SSTP will be installed on a load balancer or other security device, creating the CSR using OpenSSL may be required. Use the following commands to generate a CSR with ECDA using OpenSSL.

openssl ecparam -out aovpn_sstp.key -name prime256v1 -genkey
openssl req -new -key aovpn_sstp.key -out aovpn_sstp.csr -sha256

Submit the Request

Once complete, submit the CSR for signing to your favorite public CA. Based on my experience, some CAs are easier to obtain ECC certificates than others. Today, Digicert seems to be one of the better public CAs for obtaining ECC TLS certificates.

Complete the Request

Once the CA has issued the certificate, import the certificate into the local computer certificate store on the same client or server where the original CSR was created. The certificate can then be exported and imported on additional VPN servers if required.

Additional Information

Always On VPN SSL Certificate Requirements for SSTP

Always On VPN Protocol Recommendations for RRAS