SSTP with self signed certificates

Sun 11 March 2012 by admin

I was looking for VPN solution in Windows which gives an easy way to connect without worrying about NAT configuration just like in IPsec or PPTP.  The answer to my question is  SSTP, new version of VPN used in Windows 2008, which encapsulate PPP frames over SSL connection. But all step by step guides howto configure SSTP concentrate on installing this solution in enterprise environments, but I want to setup my connection using i.e. self signed certificate without overhead of   PKI.

So step by step deploying SSTP /w self signed certificates:

  1. Add role: Network Policy and Access Services

  2. Now you can simply install IIS role to generate self signed certificate, but first of all IIS role is not necessary in SSTP VPN configuration, furthermore IIS doesn't give you chance to change common name (automatically is set as hostname). That's why you can download [1]  to get selfssl tool to generate certificate just like that:


  3. Then you should place newly create certificate in Computer context in Certicates addon to MMC:


  4. New certificate should be binded to listen port 443, SSTP is using HTTP.SYS (core HTTP server engine):


    appid is always the same to SSTP, certhash you can get from Certificates MMC  (look at: thumbprint)

  5. Setup ip address pool for vpn clients:


  6. You can enforce only SSTP-VPN connection:


  7. Add some local users and check if Dial-In tab is set like this:


  8. Export from Certificate MMC your self signed certificate

  9. Download on client side exported certificate and import it in Computer context -> Trusted Root Ceritifaction Authorities


  10. Configure VPN client, choose SSTP VPN Type and establish connection