Results 1 to 4 of 4

Thread: Changing server certificate in VPN

  1. #1
    Join Date
    Sep 2010
    Posts
    15

    Changing server certificate in VPN

    Last time, you have recommended to use a URL dedicated to the SSTP service for the sake of clarity and understanding. Also, a VPN address "sstp.yourdomain.com" is not the worst kind. Warning to tell your DNS server an alias to your VPN server that is not necessarily the FQDN. Now I want to know about changing server certificate. Since, you guys have told me about the previous installation that helped me much, so I thought to post here my query instead of searching it on Internet. Please tell me in details about changing server certificate. Any other information related to the topic would be grateful.

  2. #2
    Join Date
    Feb 2010
    Posts
    524

    Re: Changing server certificate in VPN

    The CRL, or Certificate Revocation List is as its name indicates an item containing all certificates have been revoked, in other words that are no longer valid. Therefore, to verify that the server certificate is still valid, the client computer must have access to the storage location of the CRL. For remote clients, it's usually a URL to a Web server of the company. By default, the URL of the CRL has the form http://nameofyourserver.yourdomain/ ... while this name is not necessarily accessible from the Internet. It is interesting to change the address and put in the form http://sstp.yourdomain/ ... to correspond with the URL of the VPN instance. This change must be made if possible prior to the issuance of the first server certificate directly in the properties of the CA. After stating that the certificates have integrated this new data, then after forcing the first publication of the CRL, the problems should disappear.

  3. #3
    Join Date
    Feb 2010
    Posts
    537

    Re: Changing server certificate in VPN

    Sometimes having to change the certificate to the server level. These include the corruption of the certification authority, or simply change the FQDN server access, or changing the URL of the publication of the CRL. If you need to replace it, do as follows:
    1. Delete the old certificate store and import the new.
    2. Open a command prompt as administrator and enter these commands:
    3. Netsh http delete ssl 0.0.0.0:443 # this removes the link between the certificate and port 443
    4. Netsh http delete ssl [::]: 443 # same for IPv6
    5. Reg delete HKLM \ system \ currentcontrolset \ services \ sstpsvc \ parameters / SHA256CertificateHash v / f

    If you have multiple server authentication certificates in the store, enter these two commands:
    • Netsh http add sslcert ipport 0.0.0.0:443 certhash = [Thumbprint of the certificate without spaces] AppID = {ba195980-CD49-458b-9e23-c84ee0adcd75 certstorename} = Y.
    • Netsh http add sslcert ipport [::]: certhash = 443 [Thumbprint of the certificate] AppID = {ba195980-CD49-458b-9e23-c84ee0adcd75 certstorename} = Y.

  4. #4
    Join Date
    Feb 2010
    Posts
    641

    Re: Changing server certificate in VPN

    OpenVPN is a solution that is based on SSL. This ensures two things at once, without needing a lot of client-side software:
    • authentication of client and server
    • securing the transmission channel

    It allows for example to troubleshoot NAT IPSec offering the same protection but without the constraints. The exchange of keys for data encryption in IPSec can be done in three ways:
    1. hand: not very practical
    2. IKE (Internet Key Exchange) is a protocol developed for IPSec. ISAKMP (Internet Security Association and Key Management Protocol) is the basic role is the establishment (negotiation and implementation), modifying and deleting SAs. It consists of two phases:
      • the first to create a secure channel (for Diffie-Hellman) and authenticated through which we exchange a secret key used to derive the phase 2.
      • the second allows to set up IPSec with its parameters and a SA in each direction of communication. Data exchanged is protected through the channel established in phase 1.

Similar Threads

  1. Broken server certificate UI on Mozilla Firefox
    By Grayson in forum Technology & Internet
    Replies: 3
    Last Post: 02-11-2011, 10:48 PM
  2. certificate autoenrollment with 2008 and 2003 Server
    By sgilmour in forum Windows Server Help
    Replies: 2
    Last Post: 14-10-2011, 06:52 PM
  3. Replies: 3
    Last Post: 14-07-2009, 11:01 AM
  4. Replies: 1
    Last Post: 07-07-2008, 08:29 AM
  5. IAS and RAS server certificate enrollment
    By AngerEyes in forum Windows Security
    Replies: 3
    Last Post: 27-05-2008, 11:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •