Built for Always On VPN
The pre-built Always On VPN deployment template ships in your CertKit account. No scripting required.
The SSTP listener on a Windows Always On VPN gateway binds to one specific certificate, by hash, in HTTP.SYS. When that certificate renews the hash changes, but the listener keeps pointing at the old one, so remote clients can't establish the SSTP tunnel. The IKEv2 fallback masks it until that breaks too. Every 47 days. On every VPN gateway you run.
CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your RRAS-based VPN servers automatically via the CertKit Agent, rebinds the SSTP listener, and cycles the Remote Access service so the new tunnel comes up clean.
The pre-built Always On VPN deployment template ships in your CertKit account. No scripting required.
The CertKit Agent imports the renewed PFX into the LocalMachine certificate store,
points the SSTP listener at the new certificate hash, and restarts the Remote Access
service so the SSTP tunnel comes back up on the current certificate. No MMC, no
netsh http by hand, no 3am call from a remote user who can't connect.
Restarting Remote Access drops the active SSTP device and user tunnels for a moment while the listener comes back on the new certificate. Set a deployment window per gateway so that happens at 2am Sunday, not at 11am Tuesday when half your remote workforce is mid-call. CertKit holds the renewed certificate and only rebinds inside the window you choose.
The pre-built Always On VPN template ships with your CertKit account. Set the SSTP port once. CertKit handles every renewal after that.
The manual process, if you want to do it yourself:
Set-RemoteAccess -SslCertificate with the new certificate, or
select it on the Security tab of the server properties in the RRAS console.
HTTP.SYS keeps the old certificate hash until you do.
Every one of these steps is manual, and Always On VPN won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every gateway. Miss the rebind and remote workers can't connect.
At 47 days, automation is the only sustainable way to run the SSTP certificate. Here's how CertKit does it.
Remote device Your VPN gateway CertKit
┌──────────────┐ ┌───────────────────┐ ┌───────────────┐
│ │ SSTP │ ┌───────────────┐ │ │ │
│ Win10/11 │◄──────►│ │ CertKit Agent │◄┼────┤ Issue &Renew │
│ device + │ TLS │ └──────┬────────┘ │ │ Certificates │
│ user tunnel │ 443 │ │ rebind │ │ ┌───┐ │
│ │ │ ▼ │ └──────│DNS│────┘
└──────────────┘ │ ┌───────────────┐ │ └───┘
│ │ SSTP listener │ │ one-time CNAME
│ │ [x] Rebound │ │ delegated DNS
│ │ RemoteAccess │ │
│ │ [x] Restarted │ │
│ └───────────────┘ │
└───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your VPN gateways never run ACME, never open port 80 inbound, and never store DNS credentials. They just run the agent, which rebinds the SSTP listener over the local machine store.
CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.
Richard Hicks, Consultant and Microsoft MVP
Always On VPN has two tunnels with two very different certificate stories. The IKEv2 user and device tunnels authenticate with machine certificates issued by your internal CA, and those usually auto-enroll and renew through Group Policy. The SSTP fallback is different: it terminates TLS on port 443 and needs a publicly trusted certificate so clients on hostile networks, behind firewalls that only permit 443, trust the connection. Your internal CA can't issue that, and AD auto-enrollment doesn't touch it.
So the public SSTP certificate becomes the one nobody automates. It renews on a manual calendar reminder, and the rebind depends on someone remembering it. Miss it and SSTP clients fail silently while IKEv2 quietly carries the load, until the day a client on a restrictive network has only SSTP available and can't get in.
CertKit issues the public SSTP certificate via delegated DNS validation, then the agent rebinds the listener and restarts Remote Access on every renewal. There is no ACME client on the gateway and no manual rebind to forget.
The same public-certificate problem shows up across Microsoft's remote-access stack. If you run DirectAccess, the IP-HTTPS listener has the identical failure mode. If you terminate VPN on a bare Routing and Remote Access (RRAS) server, the SSTP binding lives in the registry. CertKit automates all of them, plus IIS, Exchange, and AD FS, from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.