Built for Routing and Remote Access
The pre-built RRAS deployment template ships in your CertKit account. No scripting required.
The Routing and Remote Access role doesn't reference its SSTP certificate by name, it
stores a SHA256 hash of the certificate under
HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters and binds it through
HTTP.SYS. When the certificate renews the hash no longer matches anything in the store, so
SstpSvc refuses new SSTP tunnels and existing point-to-point connections fail to
re-establish.
Every 47 days.
On every RRAS server you operate.
CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your RRAS servers via the CertKit Agent, updates the SHA256 hash and HTTP.SYS binding, and restarts SstpSvc so the listener comes back on the current certificate.
The pre-built RRAS deployment template ships in your CertKit account. No scripting required.
The CertKit Agent imports the renewed PFX, computes the SHA256 hash RRAS expects,
writes it into the SstpSvc parameters, refreshes the HTTP.SYS binding, and restarts the
service. No certutil, no hand-edited registry values, no SSTP outage waiting
to be discovered.
Restarting SstpSvc drops the SSTP listener for a moment, disconnecting roaming clients and bouncing any SSTP site-to-site link while it comes back. Schedule a deployment window per server so the hash update and restart run at 2am Sunday rather than during business hours. CertKit stages the renewed certificate and only applies it inside the window you choose.
The pre-built RRAS template ships with your CertKit account. Enable it once. CertKit handles every renewal after that.
The manual process, if you want to do it yourself:
Every one of these steps is manual, and RRAS won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every gateway. Miss the rebind and SSTP quietly stops accepting tunnels.
At 47 days, automation is the only sustainable way to run SSTP certificates. Here's how CertKit does it.
Your RRAS server
┌──────────────────────────────────────────┐
│ ┌─────────────┐ │
│ │CertKit Agent│──┐ 1. import PFX │ CertKit
│ └─────────────┘ │ -> LocalMachine │ ┌──────────┐
│ │ ▼ │◄──┤ Issue & │
│ │ ┌───────────────┐ │ │ Renew │
│ │ │ Cert store │ │ │ ┌───┐ │
│ └──►│ SstpSvc params│ 2. write │ └───│DNS│──┘
│ 3. bind │ SHA256 hash │ hash │ └───┘
│ HTTP.SYS └───────┬───────┘ │ one-time CNAME
│ ┌───────────▼───────┐ │ delegated DNS
│ │ SstpSvc restarted │ 4. restart │
│ │ [x] SSTP online │ │
│ └───────────────────┘ │
└──────────────────────────────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. The RRAS server never runs an ACME client and never holds DNS credentials, the agent imports the certificate, rewrites the SstpSvc hash, and restarts the service locally.
CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.
Richard Hicks, Consultant and Microsoft MVP
SstpSvc certificate hash so SSTP actually uses the renewed certificate
instead of failing against a stale binding.
With most Windows services, importing a renewed certificate and rebinding by thumbprint is
the whole job. RRAS is different because SSTP pins the certificate by a SHA256 hash stored
in the registry under SstpSvc\Parameters. Drop a new certificate into the
store and SSTP keeps comparing against the old hash, finds no match, and quietly stops
accepting tunnels. The certificate is valid and present, the service is running, and SSTP
still doesn't work, which makes it a genuinely confusing outage to diagnose.
Scripting around it is fiddly and easy to get wrong: the hash has to be computed in the exact byte format RRAS expects, written to the registry, and matched by a refreshed HTTP.SYS binding before the restart. A typo doesn't error, it just leaves SSTP down.
CertKit issues the SSTP certificate via delegated DNS validation, then the agent handles the hash, the binding, and the restart as one verified step. There is no ACME client on the server and no registry surgery on your renewal calendar.
The Remote Access role that powers RRAS is the same engine underneath Always On VPN and DirectAccess, each just layers its own configuration and certificate model on top. CertKit automates the public certificate across all three, plus IIS, Exchange, AD FS, and Remote Desktop Gateway, from a single account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.