How to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and SSTP

Beta Information
This article discusses a beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this beta product. For information about how to obtain support for a beta release, see the documentation that is included with the beta product files, or check the Web location where you downloaded the release.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows XP and Windows Vista
This article describes how to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and Secure Socket Tunneling Protocol (SSTP). The computer certificate is also known as a machine certificate.
Secure Socket Tunneling Protocol (SSTP) is a new virtual private network (VPN) tunneling protocol that is available in the "Routing and Remote Access Services" role in Windows Server 2008. The protocol is also available for use in Windows Vista Service Pack 1 (SP1).

SSTP uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and through Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.
The "Routing and Remote Access" service in Windows Server 2008 configures a computer certificate from the certificate store (also known as the machine store) in the HTTP.sys file to accept an HTTPS connection. This computer certificate is also sent to the client during the Secure Sockets Layer (SSL) negotiation phase.

If you, as an administrator, have already installed a computer certificate and have configured the "Routing and Remote Access" service, you can change the computer certificate without reconfiguring the "Routing and Remote Access" service. This article discusses how to change the computer certificate.

Background components

There are three components in this scenario:
  • The computer certificate that is installed in the "computer account" area of the certificate store
  • The HTTP.sys file

    Note This file is the HTTPS listener component that closes HTTPS VPN connections. HTTP.sys determines which computer certificate to use.

    To view the computer certificate information, type the following command at the command prompt:
    netsh http show sslcert
  • The "Routing and Remote Access" server that runs HTTP.sys

    Note The server uses the certificate hash of the computer certificate for its crypto-binding validation phase. This is an extra security step to help verify that both the PPP client and the SSL client originate from the same computer.

How to change the computer certificate

To change the computer certificate, follow these steps on the VPN server:
  1. Determine which computer certificate is configured for VPN connections. To do this, follow these steps:
    1. Determine the SSL certificate bindings that are used by HTTP.sys. To do this, type the following command at the command prompt:
      netsh http show sslcert
    2. Verify that the following Application ID is listed:
      This binding is added by the SSTP-based "Routing and Remote Access" server.
    The command shows a certificate that is bound to the IP:port listener and a certificate that is bound to the [::]::443 IP:port listener. The certificate hash value specifies which certificate is actually bound. This value is the SHA1 certificate hash of the certificate.
  2. Delete the certificate from the certificate store. To do this, create a new Microsoft Management Console (MMC), and then add the Certificates snap-in. To do this, follow these steps:
    1. Click Start, and then click Run.
    2. Type MMC.EXE, and then click OK.
    3. On the File menu, click Add/Remove Snap-in.
    4. Select Certificates, and then click Add.
    5. Select the Computer account option, and then click Next.
    6. Select Local Computer, and then click Finish.
    7. Click OK.
  3. Expand Certificates (Local Computer), and then click Certificates. A list of certificates in the store is listed in the details pane.
  4. Double-click the certificate that you want to bind to the SSTP listener. This is the certificate that has a subject name that matches the host name that is used in the client VPN connection.
  5. Click the Details tab. In the Show box, make sure that All is selected.
  6. Verify that the value for the Thumbprint Algorithm field is sha1.
  7. Note the value of the Thumbprint field. Compare this value to the certificate hash that was listed when you ran the netsh command.

    The values should match. This indicates that the correct certificate is bound to the listener. Right-click the certificate, and then click Delete.
  8. Add the new certificate to the certificate store.
  9. Delete the certificate from HTTP.sys. To do this, type the following commands at the command prompt:
    netsh http delete sslcert ipport=
    netsh http delete sslcert ipport=[::]:443
    Note To run these commands, you must open the command prompt by using elevated permissions. To do this, click Start, right-click Command Prompt, and then click Run as administrator.
  10. Add the new certificate to HTTP.sys.

    To do this, type the following commands at the command prompt:
    netsh http add sslcert ipport= certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
    netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
    Note In these commands, xxx is a placeholder for the SHA1 certificate hash of the new certificate.
  11. Clear the certificate hash registry key that is used by the "Routing and Remote Access" service.To do this, follow these steps.

    Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
    1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
    2. Locate and then click the following registry subkey:
    3. In the details pane, right-click the Sha256CertificateHash entry, and then click Modify.
    4. In the Value data box, type 0, and then click OK.
    5. Exit Registry Editor.
  12. Restart the "Routing and Remote Access" service. The "Routing and Remote Access" service reads the certificate inside HTTP.sys and then sets the appropriate certificate hashes for its crypto-binding validation.

Article ID: 947027 - Last Review: 01/30/2008 18:24:57 - Revision: 1.2

Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Standard, Windows Web Server 2008, Windows Vista Enterprise 64-bit Edition, Windows Vista Enterprise

  • kbregistry kbexpertiseadvanced kbhowto KB947027