Changing server certificate in VPN
Last time, you have recommended to use a URL dedicated to the SSTP service for the sake of clarity and understanding. Also, a VPN address "sstp.yourdomain.com" is not the worst kind. Warning to tell your DNS server an alias to your VPN server that is not necessarily the FQDN. Now I want to know about changing server certificate. Since, you guys have told me about the previous installation that helped me much, so I thought to post here my query instead of searching it on Internet. Please tell me in details about changing server certificate. Any other information related to the topic would be grateful. :notworthy
Re: Changing server certificate in VPN
The CRL, or Certificate Revocation List is as its name indicates an item containing all certificates have been revoked, in other words that are no longer valid. Therefore, to verify that the server certificate is still valid, the client computer must have access to the storage location of the CRL. For remote clients, it's usually a URL to a Web server of the company. By default, the URL of the CRL has the form http://nameofyourserver.yourdomain/ ... while this name is not necessarily accessible from the Internet. It is interesting to change the address and put in the form http://sstp.yourdomain/ ... to correspond with the URL of the VPN instance. This change must be made if possible prior to the issuance of the first server certificate directly in the properties of the CA. After stating that the certificates have integrated this new data, then after forcing the first publication of the CRL, the problems should disappear. :thumbup1:
Re: Changing server certificate in VPN
Sometimes having to change the certificate to the server level. These include the corruption of the certification authority, or simply change the FQDN server access, or changing the URL of the publication of the CRL. If you need to replace it, do as follows:
- Delete the old certificate store and import the new.
- Open a command prompt as administrator and enter these commands:
- Netsh http delete ssl 0.0.0.0:443 # this removes the link between the certificate and port 443
- Netsh http delete ssl [::]: 443 # same for IPv6
- Reg delete HKLM \ system \ currentcontrolset \ services \ sstpsvc \ parameters / SHA256CertificateHash v / f
If you have multiple server authentication certificates in the store, enter these two commands:
- Netsh http add sslcert ipport 0.0.0.0:443 certhash = [Thumbprint of the certificate without spaces] AppID = {ba195980-CD49-458b-9e23-c84ee0adcd75 certstorename} = Y.
- Netsh http add sslcert ipport [::]: certhash = 443 [Thumbprint of the certificate] AppID = {ba195980-CD49-458b-9e23-c84ee0adcd75 certstorename} = Y.
Re: Changing server certificate in VPN
OpenVPN is a solution that is based on SSL. This ensures two things at once, without needing a lot of client-side software:
- authentication of client and server
- securing the transmission channel
It allows for example to troubleshoot NAT IPSec offering the same protection but without the constraints. The exchange of keys for data encryption in IPSec can be done in three ways:
- hand: not very practical
- IKE (Internet Key Exchange) is a protocol developed for IPSec. ISAKMP (Internet Security Association and Key Management Protocol) is the basic role is the establishment (negotiation and implementation), modifying and deleting SAs. It consists of two phases:
- the first to create a secure channel (for Diffie-Hellman) and authenticated through which we exchange a secret key used to derive the phase 2.
- the second allows to set up IPSec with its parameters and a SA in each direction of communication. Data exchanged is protected through the channel established in phase 1.