Question about changing the certificate used by the SSTP VPN on a TMG 2010 server (Network Steve Forum)

Question about changing the certificate used by the SSTP VPN on a TMG 2010 server

Hi,

I need to change the certificate used by the SSTP VPN because the one I originally used didn't have a publicly visible CRL which I've subsequently taken care of. I've read the instructions on how to update the certificate used by SSTP VPN since it seems like changing it is a non trivial process. I've read the following links:

http://support.microsoft.com/kb/947027

http://kingofbytes.wordpress.com/2014/01/05/nightmare-on-vpn-street-with-tmg-and-sstp-part-1-of-4/

The process seems pretty straight forward. My only concern is that when I do the "netsh http show ssl" command on my TMG 2010/SSTP VPN server I get back this:

SSL Certificate bindings:
-------------------------

    IP:port                 : 0.0.0.0:443
     Certificate Hash        : aa8903a20156be71f9a7e3047433013574b08c70
     Application ID          : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
     Certificate Store Name : (null)
     Verify Client Certificate Revocation    : Enabled
     Verify Revocation Using Cached Client Certificate Only    : Disabled
     Usage Check    : Enabled
     Revocation Freshness Time : 0
     URL Retrieval Timeout   : 0
     Ctl Identifier          : (null)
     Ctl Store Name          : (null)
     DS Mapper Usage    : Disabled
     Negotiate Client Certificate    : Disabled

    IP:port                 : [::]:443
     Certificate Hash        : aa8903a20156be71f9a7e3047433013574b08c70
     Application ID          : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
     Certificate Store Name : (null)
     Verify Client Certificate Revocation    : Enabled
     Verify Revocation Using Cached Client Certificate Only    : Disabled
     Usage Check    : Enabled
     Revocation Freshness Time : 0
     URL Retrieval Timeout   : 0
     Ctl Identifier          : (null)
     Ctl Store Name          : (null)
     DS Mapper Usage    : Disabled
     Negotiate Client Certificate    : Disabled

And what I'm concerned about is the Application ID reported here is {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e} while the two links say it should be {ba195980-cd49-458b-9e23-c84ee0adcd75} which is the App ID for the SSTP server. The only thing I can think of is that my SSTP server and certificate are bound to a different IP address than the default HTTP listener. If I look up the aa8903a20156be71f9a7e3047433013574b08c70 hash in the list of certs it is an old expired machine certificate for the TMG server.

It seems since that this certificate is expired that removing it is ok, but I'm not sure about the other commands that update the SSL certs like "netsh http add sslcert" for example. Do I have to tell the netsh http commands to use a different IP address?

Thanks

Nick

February 25th, 2015 2:48pm

Hi,

Please check the Mohit Kumar's reply in the thread below.

Quote:

1. Run the following command on the TMG server to check the SSL certificate bound to HTTP.sys

netsh http show sslcert

Please look at the certificate with IP:Port pair as x.x.x.x:443 and note down the Certificate hash value (x.x.x.x is the TMG Server's IP address on which SSTP is configured to listen)

3. Check the old/expired SSTP certificate in Local Computer Personal Store and look for "Thumbprint". It will have the same value as the Certificate hash value from the netsh command output in the previous step

4. Remove the old/expired certificate binding from HTTPS Listener

netsh http delete sslcert ipport=x.x.x.x:443

5. Confirm that the new/valid SSTP certificate was installed in the Local Computer Personal Store on the TMG server, please make a note of its "Thumbprint" or Hash value

6. Bind the new certificate to the HTTPS Listener (assuming new certificate has SHA1 certificate hash as abcd)
netsh http add sslcert ipport=x.x.x.x:443 certhash=abcd appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

7. Run the netsh command from Step 1 to ensure that you see the new/valid certificate hash for the binding

8. Restart the TMG firewall service or reboot the server and test the VPN connection

Reference:https://social.technet.microsoft.com/Forums/en-US/ac46688e-56f9-4704-b876-21cca6983eb3/tmg-sstp-vpn-certificate-replacement?forum=Forefrontedgegeneral

Best Regards,

Joyce

Free Windows Admin Tool Kit Click here and download it now

February 25th, 2015 10:07pm

Hi Joyce,

Thanks for the reply. The thing that worries me is that when I do the netsh http show ssl command I get back

SSL Certificate bindings:
-------------------------

And I don't see the current certificate I've specified for the SSTP VPN or the IP address I've specified for SSTP listener to use. So I'm a little (well very) hesitant to do the netsh http delete sslcert ipport=x.x.x.x commands. Does the netsh http show sslcert command show the certificates for all IP addresses and ports? I tried using the ipport option with netsh http show sslcert but I couldn't figure out the right syntax.

If I bring up a browser on a remote system and go to my <a href="https:///sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/">https://<NameofSSTPCertificate>/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ I see the hash for my old SSTP certificate with the wrong CRL list. So it certainly seems that the certificate is there, just the wrong one.

Thanks

Nick

February 26th, 2015 6:27pm

Hi,

>>I tried using the ipport option with netsh http show sslcert but I couldn't figure out the right syntax.

There is some command examples of netsh http show sslcert.

show sslcert ipport=[fe80::1]:443

show sslcert ipport=1.1.1.1:443

show sslcert ipport=0.0.0.0:443

show sslcert ipport=[::]:443

https://msdn.microsoft.com/en-us/library/windows/desktop/cc307243(v=vs.85).aspx

Best Regards,

Joyce

Free Windows Admin Tool Kit Click here and download it now

February 26th, 2015 10:15pm

This topic is archived. No further replies will be accepted.