As I’ve discussed previously, it is strongly recommended that the TLS certificate used for SSTP on Windows Server RRAS use an Elliptic Curve Cryptography (ECC) key. ECC provides better security and performance than RSA keys for Windows 10 Always On VPN connections using SSTP. See my previous post, Always On VPN SSL Certificate Requirements for SSTP, for more information.
Certificate Signing Request
To generate a Certificate Signing Request (CSR) using an ECC key to send to a public Certification Authority (CA) using Windows, open the local computer certificate store (certlm.msc) on any Windows server or client and follow the steps below.
Note: Guidance for creating a CSR with ECC using OpenSSL can be found at the end of this post.
- Expand Certificates – Local Computer.
- Right-click the Personal folder and choose All Tasks > Advanced Operations > Create Custom Request.
- Click Next.
- Select Proceed without enrollment policy.
- Click Next.
- From the Template drop-down list choose (No template) CNG key.
- Click Next.
- Click Details.
- Click Properties.
- On the General tab enter a name in the Friendly name field.
- Click on the Subject tab.
- Click on the Extensions tab.
- Expand Extended Key Usage (application policies).
- Highlight Server Authentication.
- Click Add.
- Click on the Private Key tab.
- Expand Key options.
- Select the option to Make private key exportable.
- Click Ok.
- Click Next.
- Enter a name for the file in the File Name field.
- Click Finish.
Certreq
Installing the TLS certificate for Always On VPN SSTP on a Windows Server Core server will require using certreq.exe. First, using notepad.exe, create a certificate request configuration file that includes the following information. Save it with a .INF file extension.
[NewRequest]
Subject = “CN=vpn.example.net”
FriendlyName = vpn.example.net
KeyAlgorithm = ECDSA_P256
KeyLength = 256
MachineKeySet = True
Exportable = TRUE
[Extensions]
2.5.29.17 = “{text}”
_continue_ = “dns=vpn.example.net&”
Next, create the CSR file by opening an elevated command window and running the following command.
certreq.exe -new .\newcert.inf .\newcert.csr
OpenSSL
If the TLS certificate for Always On VPN SSTP will be installed on a load balancer or other security device, creating the CSR using OpenSSL may be required. Use the following commands to generate a CSR with ECDA using OpenSSL.
openssl ecparam -out aovpn_sstp.key -name prime256v1 -genkey
openssl req -new -key aovpn_sstp.key -out aovpn_sstp.csr -sha256
Submit the Request
Once complete, submit the CSR for signing to your favorite public CA. Based on my experience, some CAs are easier to obtain ECC certificates than others. Today, Digicert seems to be one of the better public CAs for obtaining ECC TLS certificates.
Complete the Request
Once the CA has issued the certificate, import the certificate into the local computer certificate store on the same client or server where the original CSR was created. The certificate can then be exported and imported on additional VPN servers if required.