← Integrations

Automated SSL certificate renewal for Always On VPN

Always On VPN won't rebind a renewed SSTP certificate on its own. CertKit will.

The SSTP listener on a Windows Always On VPN gateway binds to one specific certificate, by hash, in HTTP.SYS. When that certificate renews the hash changes, but the listener keeps pointing at the old one, so remote clients can't establish the SSTP tunnel. The IKEv2 fallback masks it until that breaks too. Every 47 days. On every VPN gateway you run.

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your RRAS-based VPN servers automatically via the CertKit Agent, rebinds the SSTP listener, and cycles the Remote Access service so the new tunnel comes up clean.

Start free trial Watch demo

Built for Always On VPN

The pre-built Always On VPN deployment template ships in your CertKit account. No scripting required.

The CertKit Agent imports the renewed PFX into the LocalMachine certificate store, points the SSTP listener at the new certificate hash, and restarts the Remote Access service so the SSTP tunnel comes back up on the current certificate. No MMC, no netsh http by hand, no 3am call from a remote user who can't connect.

Restarting Remote Access drops the active SSTP device and user tunnels for a moment while the listener comes back on the new certificate. Set a deployment window per gateway so that happens at 2am Sunday, not at 11am Tuesday when half your remote workforce is mid-call. CertKit holds the renewed certificate and only rebinds inside the window you choose.

The pre-built Always On VPN template ships with your CertKit account. Set the SSTP port once. CertKit handles every renewal after that.

How to install the SSL certificate on an Always On VPN gateway

The manual process, if you want to do it yourself:

  1. Get a publicly trusted certificate. It must match the public hostname in your VPN profiles. This is not the machine certificate the device tunnel auto-enrolls, it's the public one your internal CA can't issue.
  2. Import the PFX into the computer store. Local Machine → Personal on the VPN gateway, with the private key.
  3. Rebind the SSTP listener. Run Set-RemoteAccess -SslCertificate with the new certificate, or select it on the Security tab of the server properties in the RRAS console. HTTP.SYS keeps the old certificate hash until you do.
  4. Restart Remote Access. The SSTP tunnel comes back on the new certificate. Active device and user tunnels reconnect.
  5. Verify SSTP specifically. Test an SSTP connection, not just IKEv2. The IKEv2 fallback masks a broken SSTP binding until a client on a restrictive network needs it. Then repeat on every gateway.

Every one of these steps is manual, and Always On VPN won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every gateway. Miss the rebind and remote workers can't connect.

At 47 days, automation is the only sustainable way to run the SSTP certificate. Here's how CertKit does it.

How it works

 Remote device          Your VPN gateway        CertKit
┌──────────────┐        ┌───────────────────┐    ┌───────────────┐
│              │  SSTP  │ ┌───────────────┐ │    │               │
│  Win10/11    │◄──────►│ │ CertKit Agent │◄┼────┤ Issue &Renew  │
│  device +    │  TLS   │ └──────┬────────┘ │    │ Certificates  │
│  user tunnel │  443   │        │ rebind   │    │      ┌───┐    │
│              │        │        ▼          │    └──────│DNS│────┘
└──────────────┘        │ ┌───────────────┐ │           └───┘
                        │ │ SSTP listener │ │     one-time CNAME
                        │ │ [x] Rebound   │ │     delegated DNS
                        │ │ RemoteAccess  │ │
                        │ │ [x] Restarted │ │
                        │ └───────────────┘ │
                        └───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your VPN gateways never run ACME, never open port 80 inbound, and never store DNS credentials. They just run the agent, which rebinds the SSTP listener over the local machine store.

CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.

Richard Hicks, Consultant and Microsoft MVP

What CertKit handles

Setup takes about ten minutes

  1. Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
  2. Install the CertKit Agent on the VPN gateway. One command on the Windows Server running the Remote Access role. The agent runs as a Windows service and needs no inbound firewall rules.
  3. Add the Always On VPN deployment script. The pre-built template is in your account. Set the SSTP port and save. CertKit imports, rebinds, and restarts on every renewal.

See the full architecture →

Why the SSTP certificate is the one that bites you

Always On VPN has two tunnels with two very different certificate stories. The IKEv2 user and device tunnels authenticate with machine certificates issued by your internal CA, and those usually auto-enroll and renew through Group Policy. The SSTP fallback is different: it terminates TLS on port 443 and needs a publicly trusted certificate so clients on hostile networks, behind firewalls that only permit 443, trust the connection. Your internal CA can't issue that, and AD auto-enrollment doesn't touch it.

So the public SSTP certificate becomes the one nobody automates. It renews on a manual calendar reminder, and the rebind depends on someone remembering it. Miss it and SSTP clients fail silently while IKEv2 quietly carries the load, until the day a client on a restrictive network has only SSTP available and can't get in.

CertKit issues the public SSTP certificate via delegated DNS validation, then the agent rebinds the listener and restarts Remote Access on every renewal. There is no ACME client on the gateway and no manual rebind to forget.

Always On VPN is one of several Microsoft remote-access roles

The same public-certificate problem shows up across Microsoft's remote-access stack. If you run DirectAccess, the IP-HTTPS listener has the identical failure mode. If you terminate VPN on a bare Routing and Remote Access (RRAS) server, the SSTP binding lives in the registry. CertKit automates all of them, plus IIS, Exchange, and AD FS, from one account.

See all integrations

Start automating Always On VPN certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing