Automated SSL certificate renewal for DirectAccess

An expired IP-HTTPS certificate takes every DirectAccess client offline. CertKit prevents it.

DirectAccess tunnels remote clients over IP-HTTPS, IPv6 packets wrapped in a TLS session on port 443, and that listener binds to one certificate. When the IP-HTTPS certificate expires or renews without a rebind, every remote client drops off the corporate network at once, and because DirectAccess is seamless and always-on, nobody notices until the help desk lights up. Every 47 days. On every DirectAccess entry point.

CertKit centralizes certificate issuance and renewal, then pushes the renewed IP-HTTPS certificate to your DirectAccess servers automatically via the CertKit Agent, rebinds the listener, and confirms the tunnel is serving the new certificate before it ever expires.

Start free trial Watch demo

How it works

 Remote client          DirectAccess server     CertKit
┌──────────────┐        ┌───────────────────┐    ┌───────────────┐
│              │IP-HTTPS│ ┌───────────────┐ │    │               │
│  Remote      │◄──────►│ │ CertKit Agent │◄┼────┤ Issue &Renew  │
│  client +    │  TLS   │ └──────┬────────┘ │    │ Certificates  │
│  IPv6 tunnel │  443   │        │ rebind   │    │      ┌───┐    │
│              │        │        ▼          │    └──────│DNS│────┘
└──────────────┘        │ ┌───────────────┐ │           └───┘
                        │ │ listener      │ │     one-time CNAME
                        │ │ [x] Rebound   │ │     delegated DNS
                        │ │ RemoteAccess  │ │
                        │ │ [x] Restarted │ │
                        │ └───────────────┘ │
                        └───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your DirectAccess servers never run an ACME client and never store DNS credentials, the agent imports the certificate locally and rebinds the IP-HTTPS interface.

CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.

Richard Hicks, Consultant and Microsoft MVP

DirectAccess deployment script

# DirectAccess — IP-HTTPS Certificate Rebind
#
# Rebinds the IP-HTTPS listener on a DirectAccess server to a
# renewed certificate. The CertKit Agent imports the renewed PFX
# into the LocalMachine store first; this script points the
# IP-HTTPS interface at the new certificate so remote clients
# keep tunneling without interruption.
#
# Injected variables (set by CertKit Agent):
#   $thumbprint - SHA1 thumbprint of the renewed certificate
#
# Prerequisites:
#   - PowerShell 5.1+ (Windows Server 2012 R2+)
#   - RemoteAccess role + RemoteAccess PowerShell module
#   - Run on the DirectAccess (Remote Access) server

Import-Module RemoteAccess
$cert = Get-ChildItem Cert:\LocalMachine\My\$thumbprint
Set-DAServer -IPHttpsState Enabled
Set-RemoteAccess -SslCertificate $cert

The complete deployment script ships in your CertKit account.

The CertKit Agent imports the renewed certificate into the LocalMachine store and rebinds the IP-HTTPS listener so the transition tunnel keeps terminating on a valid, publicly trusted certificate. No exporting from MMC, no hunting through the Remote Access Management console, no scramble after clients have already dropped.

Rebinding the IP-HTTPS listener bounces the transition tunnel, so remote clients reconnect over the new certificate within seconds. Schedule a deployment window per server so that reconnect happens overnight rather than at 10am when staff are working remotely. CertKit keeps the renewed certificate staged and only rebinds inside the window you set.

The pre-built DirectAccess template ships with your CertKit account. Connect the server once. CertKit handles every renewal after that.

What CertKit handles

Issue the public IP-HTTPS certificate via ACME, centrally. The IP-HTTPS listener needs a publicly trusted certificate that matches the public hostname clients connect to. Your DirectAccess server doesn't need an ACME client, no credentials, and no open ports.
Renew well before expiry, not after the outage. DirectAccess fails closed: an expired IP-HTTPS certificate means no remote connectivity at all. CertKit renews on a schedule that leaves margin, so the certificate is never the thing that takes the tunnel down.
Rebind the IP-HTTPS listener automatically. The CertKit Agent points the IP-HTTPS interface at the renewed certificate so the transition tunnel keeps carrying IPv6 corporate traffic without a manual step.
Keep the Network Location Server in mind. DirectAccess clients also depend on the internal Network Location Server certificate to tell inside from outside. CertKit can manage that internal endpoint on the same agent, so neither side of the in/out detection drifts toward expiry.
Deploy in a window you control. Rebinding IP-HTTPS briefly bounces the transition tunnel and reconnects every active remote client. Schedule a deployment window per server so that happens at 2am Sunday, not in the middle of the workday, and CertKit holds the renewal until the window opens.
Verify the tunnel, not just the script. After each renewal, CertKit connects to the public IP-HTTPS endpoint and confirms the new certificate is being served, checking serial number, SANs, and expiry. A renewed certificate that didn't actually bind is caught here, not by your remote users.
Surface the silent failure mode. Because DirectAccess is transparent, a certificate problem produces no error a user would report, just a gradually emptying VPN. CertKit alerts on rebind failures and verification mismatches so you see it immediately.
Alert on upcoming expirations. Every certificate CertKit manages is tracked to expiry with advance alerts, so an IP-HTTPS certificate never quietly slides past its date.
Audit every change. Every issuance, renewal, and rebind is logged with timestamp, certificate, and server. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Install the CertKit Agent on the Remote Access server. One command on the Windows Server running the DirectAccess role. The agent runs as a Windows service and needs no inbound firewall rules.
Add the DirectAccess deployment script. The pre-built template is in your account. Save it and CertKit imports the renewed certificate and rebinds IP-HTTPS on every renewal.

See the full architecture →

Why manual IP-HTTPS renewals are so risky

DirectAccess was designed before short-lived public certificates were the norm, and its certificate handling reflects that. The IP-HTTPS certificate is usually a one-or-two-year public certificate that an admin renews by hand: export the CSR, submit it to a CA, import the result through MMC, then rebind the IP-HTTPS interface in the Remote Access console. The whole sequence happens once a year, which means nobody remembers the steps and the reminder is a calendar event that can be snoozed.

The failure mode is the worst kind, completely silent. DirectAccess is always-on and seamless by design, so when the IP-HTTPS certificate lapses there is no login screen to show an error and no user action that fails loudly. Remote machines simply stop reaching internal resources, and the first signal is a wave of tickets from people who assumed they were on the network the whole time.

CertKit issues the IP-HTTPS certificate via delegated DNS validation, renews it on a safe cadence, and the agent rebinds the listener and verifies the tunnel every time. There is no ACME client on the server, no annual fire drill, and no silent expiry.

Moving off DirectAccess? The certificate problem follows you

Microsoft positions Always On VPN as the successor to DirectAccess, and its SSTP listener has the same public-certificate dependency. If you terminate VPN on a plain Routing and Remote Access (RRAS) server, the SSTP certificate lives in the registry instead. Whichever generation you run, CertKit automates the public certificate the same way, alongside IIS, Exchange, and AD FS, from one account.

See all integrations

Start automating DirectAccess certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing