Automated SSL certificate renewal for Routing and Remote Access Service (RRAS)

Routing and Remote Access pins the SSTP certificate by hash in the registry. CertKit keeps it current.

The Routing and Remote Access role doesn't reference its SSTP certificate by name, it stores a SHA256 hash of the certificate under HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters and binds it through HTTP.SYS. When the certificate renews the hash no longer matches anything in the store, so SstpSvc refuses new SSTP tunnels and existing point-to-point connections fail to re-establish. Every 47 days. On every RRAS server you operate.

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your RRAS servers via the CertKit Agent, updates the SHA256 hash and HTTP.SYS binding, and restarts SstpSvc so the listener comes back on the current certificate.

Start free trial Watch demo

How it works

            Your RRAS server
┌──────────────────────────────────────────┐
│  ┌─────────────┐                         │
│  │CertKit Agent│──┐ 1. import PFX        │     CertKit
│  └─────────────┘  │    -> LocalMachine   │   ┌──────────┐
│         │         ▼                      │◄──┤ Issue &  │
│         │   ┌───────────────┐            │   │ Renew    │
│         │   │ Cert store    │            │   │   ┌───┐  │
│         └──►│ SstpSvc params│  2. write  │   └───│DNS│──┘
│   3. bind   │ SHA256 hash   │     hash   │       └───┘
│   HTTP.SYS  └───────┬───────┘            │  one-time CNAME
│         ┌───────────▼───────┐            │  delegated DNS
│         │ SstpSvc restarted │ 4. restart │
│         │ [x] SSTP online   │            │
│         └───────────────────┘            │
└──────────────────────────────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. The RRAS server never runs an ACME client and never holds DNS credentials, the agent imports the certificate, rewrites the SstpSvc hash, and restarts the service locally.

CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.

Richard Hicks, Consultant and Microsoft MVP

RRAS deployment script

# Routing and Remote Access — SSTP Certificate Hash Update
#
# Updates the SHA256 certificate hash RRAS uses for SSTP and
# restarts SstpSvc. The CertKit Agent imports the renewed PFX
# into the LocalMachine store before this script runs.
#
# RRAS binds SSTP by hash, not by name, so a renewal that only
# imports the new cert leaves the listener pointing at a hash
# that no longer exists. This script rewrites the hash.
#
# Injected variables (set by CertKit Agent):
#   $thumbprint - SHA1 thumbprint of the renewed certificate
#
# Prerequisites:
#   - PowerShell 5.1+ (Windows Server 2012 R2+)
#   - RemoteAccess role installed with SSTP enabled
#   - Permission to write SstpSvc\Parameters and restart the service

$cert = Get-ChildItem Cert:\LocalMachine\My\$thumbprint
$sha256 = [byte[]] -split ($cert.GetCertHashString('SHA256') -replace '..', '$0 ')
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters'
Set-ItemProperty -Path $regPath -Name 'SHA256CertificateHash' -Value $sha256

The complete deployment script ships in your CertKit account.

The CertKit Agent imports the renewed PFX, computes the SHA256 hash RRAS expects, writes it into the SstpSvc parameters, refreshes the HTTP.SYS binding, and restarts the service. No certutil, no hand-edited registry values, no SSTP outage waiting to be discovered.

Restarting SstpSvc drops the SSTP listener for a moment, disconnecting roaming clients and bouncing any SSTP site-to-site link while it comes back. Schedule a deployment window per server so the hash update and restart run at 2am Sunday rather than during business hours. CertKit stages the renewed certificate and only applies it inside the window you choose.

The pre-built RRAS template ships with your CertKit account. Enable it once. CertKit handles every renewal after that.

What CertKit handles

Issue the public SSTP certificate via ACME, centrally. SSTP needs a publicly trusted certificate matching the gateway's public name so remote clients accept the tunnel. Your RRAS server doesn't need an ACME client, no credentials, and no open ports.
Rewrite the SHA256 hash, not just import the cert. This is the step manual renewals miss. CertKit updates the SstpSvc certificate hash so SSTP actually uses the renewed certificate instead of failing against a stale binding.
Refresh the HTTP.SYS binding and restart SstpSvc. The agent rebinds the SSL certificate in HTTP.SYS and cycles the service so the new tunnel listener comes up clean and point-to-point connections re-establish.
Cover site-to-site and client VPN alike. Whether RRAS is terminating roaming SSTP clients or an SSTP site-to-site link between offices, the certificate dependency is identical, and CertKit keeps both online.
Deploy in a window you control. The SstpSvc restart momentarily drops SSTP tunnels and any site-to-site link, so it shouldn't fire mid-workday. Schedule a deployment window per server and CertKit applies the hash update and restart at 2am Sunday instead of whenever the certificate renews.
Verify the deployment, not just the script. After each renewal, CertKit connects to the SSTP endpoint and confirms the new certificate is being served, checking serial number, SANs, and expiry. A hash that didn't take is caught here, before clients fail to connect.
Alert on failure. Hash-write failures, service restart errors, verification mismatches, and upcoming expirations all generate alerts before they become an outage.
Audit every change. Every issuance, renewal, and hash update is logged with timestamp, certificate, and server. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Install the CertKit Agent on the RRAS server. One command on the Windows Server running the Routing and Remote Access role. The agent runs as a Windows service and needs no inbound firewall rules.
Add the RRAS deployment script. The pre-built template is in your account. Save it and CertKit imports the certificate, rewrites the SSTP hash, and restarts SstpSvc on every renewal.

See the full architecture →

Why importing the certificate isn't enough

With most Windows services, importing a renewed certificate and rebinding by thumbprint is the whole job. RRAS is different because SSTP pins the certificate by a SHA256 hash stored in the registry under SstpSvc\Parameters. Drop a new certificate into the store and SSTP keeps comparing against the old hash, finds no match, and quietly stops accepting tunnels. The certificate is valid and present, the service is running, and SSTP still doesn't work, which makes it a genuinely confusing outage to diagnose.

The manual fix is fiddly and easy to get wrong: compute the SHA256 hash in the exact byte format RRAS expects, write it to the registry, refresh the HTTP.SYS binding, and restart SstpSvc. Do that by hand on every renewal, on every gateway, and the odds of a typo or a skipped restart climb with each cycle.

CertKit issues the SSTP certificate via delegated DNS validation, then the agent handles the hash, the binding, and the restart as one verified step. There is no ACME client on the server and no registry surgery on your renewal calendar.

RRAS is the foundation under Microsoft's VPN roles

The Remote Access role that powers RRAS is the same engine underneath Always On VPN and DirectAccess, each just layers its own configuration and certificate model on top. CertKit automates the public certificate across all three, plus IIS, Exchange, and AD FS, from a single account.

See all integrations

Start automating RRAS certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing