How to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and SSTP

Secure Socket Tunneling Protocol (SSTP) is a new virtual private network (VPN) tunneling protocol that is available in the "Routing and Remote Access Services" role in Windows Server 2008. The protocol is also available for use in Windows Vista Service Pack 1 (SP1).

SSTP uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and through Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.

The "Routing and Remote Access" service in Windows Server 2008 configures a computer certificate from the certificate store (also known as the machine store) in the HTTP.sys file to accept an HTTPS connection. This computer certificate is also sent to the client during the Secure Sockets Layer (SSL) negotiation phase.

If you, as an administrator, have already installed a computer certificate and have configured the "Routing and Remote Access" service, you can change the computer certificate without reconfiguring the "Routing and Remote Access" service. This article discusses how to change the computer certificate.

Background components

There are three components in this scenario:

• The computer certificate that is installed in the "computer account" area of the certificate store
• The HTTP.sys file
  
  Note This file is the HTTPS listener component that closes HTTPS VPN connections. HTTP.sys determines which computer certificate to use.
  
  To view the computer certificate information, type the following command at the command prompt:
  netsh http show sslcert
• The "Routing and Remote Access" server that runs HTTP.sys
  
  Note The server uses the certificate hash of the computer certificate for its crypto-binding validation phase. This is an extra security step to help verify that both the PPP client and the SSL client originate from the same computer.

How to change the computer certificate

To change the computer certificate, follow these steps on the VPN server:

1. Determine which computer certificate is configured for VPN connections. To do this, follow these steps:
   1. Determine the SSL certificate bindings that are used by HTTP.sys. To do this, type the following command at the command prompt:
      netsh http show sslcert
   2. Verify that the following Application ID is listed:
      {ba195980-cd49-458b-9e23-c84ee0adcd75}
      This binding is added by the SSTP-based "Routing and Remote Access" server.
   The command shows a certificate that is bound to the 0.0.0.0:443 IP:port listener and a certificate that is bound to the [::]::443 IP:port listener. The certificate hash value specifies which certificate is actually bound. This value is the SHA1 certificate hash of the certificate.
2. Delete the certificate from the certificate store. To do this, create a new Microsoft Management Console (MMC), and then add the Certificates snap-in. To do this, follow these steps:
   1. Click Start, and then click Run.
   2. Type MMC.EXE, and then click OK.
   3. On the File menu, click Add/Remove Snap-in.
   4. Select Certificates, and then click Add.
   5. Select the Computer account option, and then click Next.
   6. Select Local Computer, and then click Finish.
   7. Click OK.
3. Expand Certificates (Local Computer), and then click Certificates. A list of certificates in the store is listed in the details pane.
4. Double-click the certificate that you want to bind to the SSTP listener. This is the certificate that has a subject name that matches the host name that is used in the client VPN connection.
5. Click the Details tab. In the Show box, make sure that All is selected.
6. Verify that the value for the Thumbprint Algorithm field is sha1.
7. Note the value of the Thumbprint field. Compare this value to the certificate hash that was listed when you ran the netsh command.
   
   The values should match. This indicates that the correct certificate is bound to the listener. Right-click the certificate, and then click Delete.
8. Add the new certificate to the certificate store.
9. Delete the certificate from HTTP.sys. To do this, type the following commands at the command prompt:
   netsh http delete sslcert ipport=0.0.0.0:443
   netsh http delete sslcert ipport=[::]:443
   Note To run these commands, you must open the command prompt by using elevated permissions. To do this, click Start, right-click Command Prompt, and then click Run as administrator.
10. Add the new certificate to HTTP.sys.
    
    To do this, type the following commands at the command prompt:
    netsh http add sslcert ipport=0.0.0.0:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
    netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
    Note In these commands, xxx is a placeholder for the SHA1 certificate hash of the new certificate.
11. Clear the certificate hash registry key that is used by the "Routing and Remote Access" service. To do this, follow these steps.
    
    Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
    1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
    2. Locate and then click the following registry subkey:
       HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\
    3. In the details pane, right-click the Sha256CertificateHash entry, and then click Modify.
    4. In the Value data box, type 0, and then click OK.
    5. Exit Registry Editor.
12. Restart the "Routing and Remote Access" service. The "Routing and Remote Access" service reads the certificate inside HTTP.sys and then sets the appropriate certificate hashes for its crypto-binding validation.