Routing and Remote Access Blog

VPN articles - straight from Windows development team

How to change the machine certificate of SSTP based RRAS server

How to change the machine certificate of SSTP based RRAS server

  • Comments 3
  • Likes

SSTP requires a machine certificate on the RRAS server which needs to be set inside HTTPS listener (i.e. HTTP.SYS). This certificate will be sent to the client during SSL hand-shake stage (like in any other https:// requests). The RRAS server, when configured first time tries read a machine certificate from the machine certificate store and sets it inside HTTPS listener for 0.0.0.0::443 and [::]:443 (i.e. all IP addresses: 443), if it not already set. Otherwise, it keeps it untouched.

 

Please note: The HTTPS listener can have only one certificate for a given IP address/port number pair. This means if you have RRAS, IIS and the additional web listeners (like TS gateway) sitting on top of HTTPS listener, then you need to ensure all the different server roles are using the same certificate for a given IP address/port number pair.

 

Background of the problem:
Let us assume that you have already installed a machine certificate and configured the RRAS server once. But later you want to change the certificate (like a new certificate is provisioned or existing one expired or you want to explicitly provision a specific certificate to RRAS inside of RRAS selecting on its own etc) without reconfiguring RRAS from scratch. This post helps you to know insights on how to change the machine certificate.

Background of the components involved:
There are three components involved: -
a) The machine certificate that is installed inside "computer account" of certificate store.
b) The HTTPS listener component that terminates all the HTTPS connections and is plumbed with a machine certificate (note: please use the following command to figure out which certificate is bound to HTTP listener: netsh http show sslcert)
c) The RRAS server which sits on top HTTP.SYS that terminates the SSTP based  VPN connections. It also uses the certificate hash of machine certificate for its crypto-binding validation phase (which is an extra security cover to ensure PPP client and SSL client is originated from the same machine to avoid man in the middle attack).

If you want to change machine certificate, you need to ensure all the three components are kept in sync (i.e. RRAS & HTTP listener are plumbed with same certificate and certificate is actually present in the machine store).

Steps to change the machine certificate:
1) Find out which machine certificate is configured for the SSTP based VPN connection. This can be accomplished using one of the following steps:
1.1) Run the following netsh command on server side to figure out the SSL certificate plumbed to HTTP.SYS.
netsh http show sslcert
Please look at the certificate with IP:Port pair as 0.0.0.0::/443 and [::]:443 and note down the Certificate hash value. Please refer to the Setting up the SSTP listener blog (as referenced below) for  further details.

OR

1.2) On the VPN client machine, open your web browser and type in the following URL (assume myvpn.contoso.com is your VPN server name)

https://myvpn.contoso.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/

View the certificate inside the browser (e.g. IE7 prints the certificate inside the lock shown next to address bar) and note down the certificate hash value.

2) Now delete that certificate from the server certificate store (local computer store)
Open MMC. Add the Local Computer certificates snap-in (Click on File -->Add/Remove snap-in -->Select 'Certificates' from the list of Available snap-ins --> Click on Add --> Select 'Computer account' --> Click on Next --> Ensure 'Local computer' is selected' --> Click on Finish --> OK
Expand the 'Certificates (Local Computer)' node (Double click on the node). Expand the 'Personal' node ( Double-click on the node). Click on 'Certificates' sub-node under this.

On the certificates pane, you will see a list of certificates in the store. Double click on the certificate which you want to be bound to the SSTP listener i.e. the certificate with the subject name matching the hostname used in the client VPN connection. Click on 'Details' tab. Make sure '<All>' is selected in the drop down for 'Show:' Ensure that the value for the field 'Thumbprint Algorithm' is sha1. Compare the value of the field 'Thumbprint' with the value of the certificate hash we saw in step 1) from netsh http show sslcert command. If it is same, then it means this is the certificate that is bound to the HTTPS listener.  Right-click and delete the certificate.

3) Remove the certificate binding from HTTPS Listener
netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete sslcert ipport=[::]:443

4) Remove the certificate binding in RRAS. Open regedit and delete the following regkeys (if present)
HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha256CertificateHash

HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha1CertificateHash

 

5) Add the new certificate inside the certificate store (local computer store)


6) Plumb the new certificate to the HTTPS Listener (assuming new certificate has SHA1 certificate hash as xxx)
netsh http add sslcert ipport=0.0.0.0:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

7) Restart RRAS from RRAS MMC console. RRAS will read the certificate that is plumbed to the HTTPS Listener and records the appropriate certificate hashes regkeys for its crypto-binding validation phase.

 

References:

Setting up HTTP listener

Verifying VPN server is accepting SSTP connections

SSTP Server FAQ

Debugging SSTP connection failure

Cheers,

Samir Jain
Lead Program Manager (samirj@online.microsoft.com **)
RRAS, Windows Enterprise Networking

** Remove the "online" to actually email me 

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments
  • Thanks for the information. Generally it is considered for all by a few instead of considering it for one certificate for a given IP address/port number pair.

  • SSTP by default is configured to listen on all the interfaces (i.e. 0.0.0.0 for IPv4 or ::/0 for IPv6).

  • Hello Friends, In my previous posting related to VPN tunnel selection , I discussed various scenarios

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment