Renew DirectAccess Self-Signed Certificates

Renew DirectAccess Self-Signed CertificatesWhen DirectAccess is deployed using the Getting Started Wizard (GSW), sometimes referred to as the “simplified deployment” method, self-signed certificates are created during the installation and used for the IP-HTTPS IPv6 transition technology, the Network Location Server (NLS), and for RADIUS secret encryption.

Renew DirectAccess Self-Signed Certificates

Certificate Expiration

These self-signed certificates expire 5 years after they are created, which means many DirectAccess administrators who have used this deployment option will need to renew these certificates at some point in the future. Unfortunately, there’s no published guidance from Microsoft on how to accomplish this. However, the process is simple enough using PowerShell and the New-SelfSignedCertificate cmdlet.

PowerShell Script

Open an elevated PowerShell command window and run the following commands to renew the DirectAccess self-signed certificates.

# // Clone and install IP-HTTPS certificate

$iphttpscert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Thumbprint -eq ((Get-RemoteAccess).SslCertificate | Select-Object -ExpandProperty Thumbprint))
$newcert = New-SelfSignedCertificate -CloneCert $iphttpscert -FriendlyName “DirectAccess-IPHTTPS” | Select-Object -ExpandProperty Thumbprint
$cert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Thumbprint -eq $newcert)
Set-RemoteAccess -SslCertificate $cert -PassThru

# // Clone and install NLS certificate

$nlscert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Thumbprint -eq ((Get-RemoteAccess).NlsCertificate | Select-Object -ExpandProperty Thumbprint))
$newcert = New-SelfSignedCertificate -CloneCert $nlscert -FriendlyName “DirectAccess-NLS” | Select-Object -ExpandProperty Thumbprint
$cert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Thumbprint -eq $newcert)
Set-DANetworkLocationServer -NLSOnDAServer -Certificate $cert

# // Clone RADIUS encryption certificate

$cert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Subject -like “*radius-encrypt*”)
New-SelfSignedCertificate -CloneCert $cert -FriendlyName “Certificate issued by Remote Access for RADIUS shared secrets”

Script on GitHub

I’ve also published this script on GitHub. You can download Renew-DaSelfSignedCertificates.ps1 here.

Important Considerations

When the script above is executed, DirectAccess clients outside will be immediately disconnected and will be unable to reconnect until they update group policy. This will require connecting to the internal network locally or remotely using another VPN solution. In addition, internal clients that are not online when this change is made will be unable to access internal resources by name until they update group policy. If this happens, delete the Name Resolution Policy Table (NRPT) on the client using the following PowerShell command and reboot to restore connectivity.

Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false

Additional Information

PowerShell Recommended Reading for DirectAccess Administrators

Top 5 DirectAccess Troubleshooting PowerShell Commands

%d bloggers like this: