Built for DirectAccess
The pre-built DirectAccess deployment template ships in your CertKit account. No scripting required.
DirectAccess tunnels remote clients over IP-HTTPS, IPv6 packets wrapped in a TLS session on port 443, and that listener binds to one certificate. When the IP-HTTPS certificate expires or renews without a rebind, every remote client drops off the corporate network at once, and because DirectAccess is seamless and always-on, nobody notices until the help desk lights up. Every 47 days. On every DirectAccess entry point.
CertKit centralizes certificate issuance and renewal, then pushes the renewed IP-HTTPS certificate to your DirectAccess servers automatically via the CertKit Agent, rebinds the listener, and confirms the tunnel is serving the new certificate before it ever expires.
The pre-built DirectAccess deployment template ships in your CertKit account. No scripting required.
The CertKit Agent imports the renewed certificate into the LocalMachine store and rebinds the IP-HTTPS listener so the transition tunnel keeps terminating on a valid, publicly trusted certificate. No exporting from MMC, no hunting through the Remote Access Management console, no scramble after clients have already dropped.
Rebinding the IP-HTTPS listener bounces the transition tunnel, so remote clients reconnect over the new certificate within seconds. Schedule a deployment window per server so that reconnect happens overnight rather than at 10am when staff are working remotely. CertKit keeps the renewed certificate staged and only rebinds inside the window you set.
The pre-built DirectAccess template ships with your CertKit account. Connect the server once. CertKit handles every renewal after that.
The manual process, if you want to do it yourself:
Set-RemoteAccess -SslCertificate. The listener keeps the old
certificate until you do.
Every one of these steps is manual, and DirectAccess won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every entry point. Miss one and every remote client drops at once.
At 47 days, automation is the only sustainable way to run the IP-HTTPS certificate. Here's how CertKit does it.
Remote client DirectAccess server CertKit
┌──────────────┐ ┌───────────────────┐ ┌───────────────┐
│ │IP-HTTPS│ ┌───────────────┐ │ │ │
│ Remote │◄──────►│ │ CertKit Agent │◄┼────┤ Issue &Renew │
│ client + │ TLS │ └──────┬────────┘ │ │ Certificates │
│ IPv6 tunnel │ 443 │ │ rebind │ │ ┌───┐ │
│ │ │ ▼ │ └──────│DNS│────┘
└──────────────┘ │ ┌───────────────┐ │ └───┘
│ │ listener │ │ one-time CNAME
│ │ [x] Rebound │ │ delegated DNS
│ │ RemoteAccess │ │
│ │ [x] Restarted │ │
│ └───────────────┘ │
└───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your DirectAccess servers never run an ACME client and never store DNS credentials, the agent imports the certificate locally and rebinds the IP-HTTPS interface.
CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.
Richard Hicks, Consultant and Microsoft MVP
The failure mode is the worst kind, completely silent. DirectAccess is always-on and seamless by design, so when the IP-HTTPS certificate lapses there is no login screen to show an error and no user action that fails loudly. Remote machines simply stop reaching internal resources, and the first signal is a wave of tickets from people who assumed they were on the network the whole time.
CertKit issues the IP-HTTPS certificate via delegated DNS validation, renews it on a safe cadence, and the agent rebinds the listener and verifies the tunnel every time. There is no ACME client on the server, no annual fire drill, and no silent expiry.
Microsoft positions Always On VPN as the successor to DirectAccess, and its SSTP listener has the same public-certificate dependency. If you terminate VPN on a plain Routing and Remote Access (RRAS) server, the SSTP certificate lives in the registry instead. Whichever generation you run, CertKit automates the public certificate the same way, alongside IIS, Exchange, and AD FS, from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.