Can't renew an IP-HTTPS and SSTP certificate on a DA server in Windows Server 2012

Applies to: Windows Server 2012 R2 StandardWindows Server 2012 R2 DatacenterWindows Server 2012 R2 Essentials


Consider the following scenario:
  • You deploy both DirectAccess (DA) and VPN on a server that's running Windows Server 2012 R2 or Windows Server 2012.
  • You are using a certificate for the IP over HTTPS (IP-HTTPS) tunneling protocol and Secure Socket Tunneling Protocol (SSTP) endpoints from a public root certification authority (CA).
  • The certificate is near its expiration date, and you're looking for a procedure to change the old certificate to a new one that uses the same subject name.
  • In the RemoteAccess wizard, you select a new certificate that you already added in a store.
  • You go to the last step in the RemoteAccess wizard.
In this scenario, the Finish button is unavailable (appears dimmed). Therefore, you can't apply the new configuration.


This issue occurs because, when the RemoteAccess wizard checks the subject name of the certificate, it discovers that the subject name of the certificate is still the same.


To work around this issue, follow these steps:
  1. Identify the thumbprint of the new certificate.
  2. Open a Windows PowerShell command line as an administrator.
  3. Select the certificate, and then add it to a variable (such as $cert = dir Cert:\LocalMachine\my |?{$_.Thumbprint -eq $thumbprint}).
  4. Set the certificate to be used by RemoteAccess (such as Set-RemoteAccess -SslCertificate $cert).
  5. Run a gpupdate /force command.
  6. Restart the Routing and Remote Access service.
Note You must deploy a new certificate and then run these steps on all nodes on the DA and VPN servers that use Network Load Balancing (NLB).

More Information

For more information, see Set-RemoteAccess.