Always On VPN SSTP Certificate Renewal

Windows Server Routing and Remote Access Service (RRAS) is popular for Always On VPN deployments because it supports the Secure Socket Tunneling Protocol (SSTP). The SSTP VPN protocol is recommended for use with the Always On VPN user tunnel because it is firewall friendly. Installing a TLS certificate on the VPN server is necessary to support SSTP VPN connections. Administrators should use a TLS certificate signed by a public certification authority (CA) for optimal reliability and performance.

Click here to view a video demonstration of the procedures outlined in this article.

Certificate Expiration

Of course, all certificates expire, and the TLS certificate used for SSTP is no exception. When using a public TLS certificate, the certificate lifetime is typically no more than one year, which means Always On VPN administrators will be renewing this certificate regularly.

Certificate Renewal

The process of “renewing” an SSTP TLS certificate is essentially the same as installing a new one, as it is best to create a new public/private key pair when renewing a certificate. The following outlines the steps required to generate a Certificate Signing Request (CSR), import the certificate, then assign the certificate to the SSTP listener on the VPN server.

Note: The guidance provided here assumes using an ECC certificate, which is best for optimal security and performance. More details here.

Certificate Request

Open the local computer certificate store (certlm.msc) on the VPN server and perform the following steps to generate a new CSR.

  1. Expand Certificates – Local Computer > Personal.
  2. Right-click the Certificates folder and choose All Tasks > Advanced Operations > Create Custom Request.
  3. Click Next.
  4. Highlight Proceed without enrollment policy.
  5. Click Next.
    1. Select (No template) CNG key from the Template drop-down list.
    2. Select PKCS #10 in the Request format section.
    3. Click Next.
  6. Click on the down arrow next to Details.
    Always On VPN ECDSA SSL Certificate Request for SSTP
  7. Click on the Properties button.
  8. Select the General tab.
    1. Enter the public hostname for the certificate in the Friendly name field.
  9. Select the Subject tab.
    1. Select Common name from the Type drop-down list in the Subject name section.
    2. Enter the public hostname for the certificate in the Value field.
    3. Click Add.
    4. In the Alternative name section, select DNS from the Type drop-down list.
    5. Enter the public hostname for the certificate in the Value field.
    6. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  10. Select the Extensions tab.
    1. Expand the Extended Key Usage section.
    2. Select Server Authentication from the Available options section.
    3. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  11. Select the Private Key tab.
    1. Expand the Cryptographic Service Provider section.
      1. Uncheck the box next to RSA,Microsoft Software Key Storage Provider.
      2. Check the box next to ECDSA_P256,Microsoft Software Key Storage Provider.
    2. Expand the Key options section.
      1. Check the box next to Make private key exportable.
        Always On VPN ECDSA SSL Certificate Request for SSTP
  12. Click Ok.
  13. Click Next.
  14. Enter a name for the file in the File Name field.
  15. Select Base 64 in the File format section.
  16. Click Finish.

Import Certificate

Once complete, submit the file created to a public CA for signing. When the CA returns the signed certificate, perform the following steps to import it to the local compute certificate store.

  1. Right-click the Certificates folder and choose All Tasks > Import.
  2. Click Next.
  3. Enter the name of the certificate file returned by the public CA in the File name field.
  4. Click Next.
  5. Select Place all certificates in the following store and ensure that Personal is listed in the Certificate store field.
  6. Click Next.
  7. Click Finish.
  8. Click Ok.

Assign Certificate

After importing the new TLS certificate in the local computer’s certificate store, open the Routing and Remote Access management console (rrasmgmt.msc) and perform the following steps to assign the TLS certificate to the SSTP listener.

  1. Right-click the VPN server and choose Properties.
  2. Select the Security tab.
    1. Select the new TLS certificate from the Certificate drop-down list in the SSL Certificate Binding section. When replacing an existing certificate, you may see a certificate with the same name more than once. Click the View button and ensure the new certificate is selected.
    2. Click Ok.
    3. Click Yes to restart the RemoteAccess service.

Demonstration Video

A recorded video demonstration of this process can be found here. The video recording also includes guidance for making these changes on Windows Server Core servers.

Additional Information

Installing or Renewing an SSL/TLS Certificate on Windows Server for Always On VPN and SSTP.

Microsoft Windows Always On VPN SSTP Security Configuration

Microsoft Windows Always On VPN SSL Certificate Requirements for SSTP

Microsoft Windows Always On VPN ECDSA TLS Certificate Request for SSTP

Microsoft Windows Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN SSTP Security Configuration

Always On VPN SSTP Security Configuration

When using Windows Server Routing and Remote Access Service (RRAS) to terminate Always On VPN client connections, administrators can leverage the Secure Socket Tunneling Protocol (SSTP) VPN protocol for client-based VPN connections. SSTP is a Microsoft proprietary VPN protocol that uses Transport Layer Security (TLS) to secure connections between the client and the VPN gateway. SSTP provides some crucial advantages over IKEv2 in terms of operational reliability. It uses the TCP port 443, the standard HTTPS port, which is universally available and ensures Always On VPN connectivity even behind highly restrictive firewalls.

TLS Certificate

When configuring SSTP, the first thing to consider is the certificate installed on the server. A certificate with an RSA key is most common, but for SSTP, provisioning a certificate with an ECDSA key is recommended for optimal security and performance. See the following two articles regarding SSTP certificate requirements and ECDSA Certificate Signing Request (CSR) creation.

Always On VPN SSL Certificate Requirements for SSTP

Always On VPN ECDSA SSL Certificate Request for SSTP

TLS Configuration

Much like IKEv2, the default TLS security settings for SSTP are less than optimal. However, SSTP can provide excellent security with some additional configuration.

TLS Protocols

There are several deprecated TLS protocols enabled by default in Windows Server. These include SSLv3.0, TLS 1.0, and TLS 1.1. They should be disabled to improve security for TLS. To do this, open an elevated PowerShell window on the VPN server and run the following commands.

New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\’ -Name Enabled -PropertyType DWORD -Value ‘0’

New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\’ -Name Enabled -PropertyType DWORD -Value ‘0’

New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\’ -Name Enabled -PropertyType DWORD -Value ‘0’

Cipher Suites

Many weak TLS cipher suites and enabled by default in Windows Server. To further enhance security and performance, they can be optimized using a tool such as IIS Crypto. For example, consider prioritizing cipher suites that use ECDHE and GCM with ECDSA to improve security. Also, remove ciphers that use AES-256 to enhance scalability and performance.

Note: AES-256 does not provide any additional practical security over AES-128. Details here.

PowerShell Script

I have published a PowerShell script on GitHub that performs security hardening and TLS cipher suite optimization to streamline the configuration TLS on Windows Server RRAS servers. You can download the script here.

Validation Testing

After running the script and restarting the server, visit the SSL Labs Server Test site to validate the configuration. You should receive an “A” rating, as shown here.

Note: An “A” rating is not achievable on Windows Server 2012 or Windows Server 2012 R2 when using an RSA TLS certificate. A TLS certificate using ECDSA is required to receive an “A” rating on these platforms.

Additional Information

Always On VPN SSL/TLS Certificate Requirements for SSTP

Always On VPN ECDSA SSL Certificate Request for SSTP

Qualys SSL Labs Server Test Site

Always On VPN Protocol Recommendations for Windows Server RRAS

Microsoft SSTP Specification on MSDN

Always On VPN SSTP Certificate Binding Error

Always On VPN SSTP Certificate Binding ErrorWhen configuring a Windows Server with the Routing and Remote Access Service (RRAS) role to support Windows 10 Always On VPN connections, the administrator may encounter the following error message when installing or updating the TLS certificate used for Secure Socket Tunneling Protocol (SSTP) connections.

“The thumbprint (cert hash) of the certificate used for Secure Socket Tunneling Protocol (SSTP) is different than the certificate bound to the Web listener (HTTP.sys). Configure SSTP to use the default certificate or the certificate bound to SSL. You can configure web server applications to use the same certificate used by SSTP.”

Always On VPN SSTP Certificate Binding Error

IIS Binding

Most commonly this error can occur if an administrator mistakenly binds a TLS certificate directly in IIS. To resolve this problem, open the IIS management console (inetmgr.exe), navigate to the Default Web Site and click Bindings in the Actions section. Highlight the HTTPS binding and click Remove. Once complete, open an elevated command window and run the iisreset.exe command.

Always On VPN SSTP Certificate Binding Error

Netsh

In some instances, the administrator may find no certificate bindings in the IIS management console. However, a certificate binding may still be present. To confirm, open an elevated command window and run the following command.

netsh.exe http show sslcert

Always On VPN SSTP Certificate Binding Error

Remove existing certificate binding by running the following commands.

netsh.exe http delete sslcert ipport=0.0.0.0:443
netsh.exe http delete sslcert ipport=[::]:443

SSTP Configuration

When configuring SSTP in RRAS for Always On VPN, certificate assignment should always be performed using the Routing and Remote Access management console (rrasmgmt.msc). No changes are required to be made in the IIS management console for SSTP.

Additional Information

Windows 10 Always On VPN SSL Certificate Requirements for SSTP

Windows 10 Always On VPN SSTP Load Balancing with Citrix NetScaler ADC Load Balancer

Windows 10 Always On VPN SSTP Load Balancing with Kemp LoadMaster Load Balancer

Windows 10 Always On VPN SSTP Load Balancing with F5 BIG-IP Load Balancer

%d bloggers like this: