Automated SSL certificate renewal for Always On VPN

Always On VPN won't rebind a renewed SSTP certificate on its own. CertKit will.

The SSTP listener on a Windows Always On VPN gateway binds to one specific certificate, by hash, in HTTP.SYS. When that certificate renews the hash changes, but the listener keeps pointing at the old one, so remote clients can't establish the SSTP tunnel. The IKEv2 fallback masks it until that breaks too. Every 47 days. On every VPN gateway you run.

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your RRAS-based VPN servers automatically via the CertKit Agent, rebinds the SSTP listener, and cycles the Remote Access service so the new tunnel comes up clean.

Start free trial Watch demo

How it works

 Remote device          Your VPN gateway        CertKit
┌──────────────┐        ┌───────────────────┐    ┌───────────────┐
│              │  SSTP  │ ┌───────────────┐ │    │               │
│  Win10/11    │◄──────►│ │ CertKit Agent │◄┼────┤ Issue &Renew  │
│  device +    │  TLS   │ └──────┬────────┘ │    │ Certificates  │
│  user tunnel │  443   │        │ rebind   │    │      ┌───┐    │
│              │        │        ▼          │    └──────│DNS│────┘
└──────────────┘        │ ┌───────────────┐ │           └───┘
                        │ │ SSTP listener │ │     one-time CNAME
                        │ │ [x] Rebound   │ │     delegated DNS
                        │ │ RemoteAccess  │ │
                        │ │ [x] Restarted │ │
                        │ └───────────────┘ │
                        └───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your VPN gateways never run ACME, never open port 80 inbound, and never store DNS credentials. They just run the agent, which rebinds the SSTP listener over the local machine store.

CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.

Richard Hicks, Consultant and Microsoft MVP

Always On VPN deployment script

# Always On VPN — SSTP Listener Certificate Rebind
#
# Rebinds the SSTP listener to a renewed certificate on a Windows
# Always On VPN gateway (RRAS / Remote Access role). The CertKit
# Agent imports the renewed PFX into the LocalMachine store before
# this script runs, so this script points SSTP at the new hash and
# restarts the service so active and new tunnels use it.
#
# Injected variables (set by CertKit Agent):
#   $thumbprint - SHA1 thumbprint of the renewed certificate
#   $sstpPort   - SSTP listener port (default 443)
#
# Prerequisites:
#   - PowerShell 5.1+ (Windows Server 2016+)
#   - RemoteAccess + RemoteAccess PowerShell module
#   - Service account permitted to restart RemoteAccess

Import-Module RemoteAccess
$cert = Get-ChildItem Cert:\LocalMachine\My\$thumbprint
Set-RemoteAccess -SslCertificate $cert

The complete deployment script ships in your CertKit account.

The CertKit Agent imports the renewed PFX into the LocalMachine certificate store, points the SSTP listener at the new certificate hash, and restarts the Remote Access service so the SSTP tunnel comes back up on the current certificate. No MMC, no netsh http by hand, no 3am call from a remote user who can't connect.

Restarting Remote Access drops the active SSTP device and user tunnels for a moment while the listener comes back on the new certificate. Set a deployment window per gateway so that happens at 2am Sunday, not at 11am Tuesday when half your remote workforce is mid-call. CertKit holds the renewed certificate and only rebinds inside the window you choose.

The pre-built Always On VPN template ships with your CertKit account. Set the SSTP port once. CertKit handles every renewal after that.

What CertKit handles

Issue the public TLS certificate via ACME, centrally. The SSTP listener needs a publicly trusted certificate so unmanaged and managed Windows clients trust the tunnel. Your gateway doesn't need an ACME client, no credentials, and no open ports.
Rebind the SSTP listener to the new hash. The CertKit Agent updates the SSL certificate binding HTTP.SYS uses for SSTP and restarts Remote Access, so the renewed certificate is actually the one terminating tunnels.
Restart Remote Access cleanly. Rebinding SSTP without cycling the service leaves tunnels on a stale certificate. CertKit restarts Remote Access so device tunnel and user tunnel reconnect on the current certificate.
Deploy in a window you control. The restart briefly disconnects active SSTP tunnels, so you don't want it landing in the middle of the workday. Schedule a deployment window per gateway and CertKit rebinds at 2am Sunday instead of whenever the certificate happened to renew.
Verify the deployment, not just the script. After each renewal, CertKit connects to the SSTP endpoint on port 443 and confirms the new certificate is being served. It checks the serial number, SANs, and expiry. If something is wrong, you find out before your remote workforce does.
Alert on failure. Rebind failures, service restart errors, verification mismatches, and upcoming expirations all generate alerts before they become a help-desk queue.
Audit every change. Every issuance, renewal, and rebind is logged with timestamp, certificate, and gateway. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Install the CertKit Agent on the VPN gateway. One command on the Windows Server running the Remote Access role. The agent runs as a Windows service and needs no inbound firewall rules.
Add the Always On VPN deployment script. The pre-built template is in your account. Set the SSTP port and save. CertKit imports, rebinds, and restarts on every renewal.

See the full architecture →

Why the SSTP certificate is the one that bites you

Always On VPN has two tunnels with two very different certificate stories. The IKEv2 user and device tunnels authenticate with machine certificates issued by your internal CA, and those usually auto-enroll and renew through Group Policy. The SSTP fallback is different: it terminates TLS on port 443 and needs a publicly trusted certificate so clients on hostile networks, behind firewalls that only permit 443, trust the connection. Your internal CA can't issue that, and AD auto-enrollment doesn't touch it.

So the public SSTP certificate becomes the one nobody automates. It renews on a manual calendar reminder, gets imported through MMC, and then someone has to remember to Set-RemoteAccess -SslCertificate and restart the service. Miss the rebind and SSTP clients fail silently while IKEv2 quietly carries the load, until the day a client on a restrictive network has only SSTP available and can't get in.

CertKit issues the public SSTP certificate via delegated DNS validation, then the agent rebinds the listener and restarts Remote Access on every renewal. There is no ACME client on the gateway and no manual rebind to forget.

Always On VPN is one of several Microsoft remote-access roles

The same public-certificate problem shows up across Microsoft's remote-access stack. If you run DirectAccess, the IP-HTTPS listener has the identical failure mode. If you terminate VPN on a bare Routing and Remote Access (RRAS) server, the SSTP binding lives in the registry. CertKit automates all of them, plus IIS, Exchange, and AD FS, from one account.

See all integrations

Start automating Always On VPN certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing