RRAS: To use SSTP, at least one valid certificate must be present on the RRAS server

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Storage Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2


Routing and Remote Access Service (RRAS)






A certificate that is usable for SSTP is not present on your RRAS server.


If you do not have a correctly configured and accessible SSTP certificate, then remote access clients cannot communicate with the RRAS server by using an SSTP tunnel.

Your Routing and Remote Access server must be configured with a certificate that it can present to client computers upon connection for authentication.

A valid certificate for SSTP must meet the following requirements:

  1. The certificate is configured with the Server Authentication purpose or the All Purposes purpose in the Enhanced Key Usage (EKU) extensions.

  2. The certificate has a private key.

  3. The certificate is not expired.

  4. The subject name of the certificate is the IP address of the external interface on the remote access server, or a regular expression containing a DNS name that resolves to that IP address. If the remote access server is located behind a NAT device, then the IP address or DNS name must be that of the external interface of the NAT device.


Use the Certificates MMC snap-in to request and configure certificates on the RRAS server for SSTP.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To view the certificates in the local computer store

  1. Start the Microsoft Management Console. Click Start, type MMC, and then press ENTER.

  2. Click File and then click Add/Remove Snap-in.

  3. In the Available snap-ins list, select Certificates and then click Add.

  4. Select Computer account, and then click Next.

  5. Select Local computer, click Finish, and then click OK.

  6. Expand Certificates (Local Computer), expand Personal, and then expand Certificates

  7. Double-click a certificate to see the details.

  8. On the Details tab, select Enhanced Key Usage to see in the box below the currently assigned purposes.

  9. Click OK to close the dialog box.

Additional references

For more information about SSTP deployment, see SSTP Remote Access Step-by-Step Guide: Deployment (http://go.microsoft.com/fwlink/?linkid=142711).

For more about creating certificates by using the Active Directory Certificate Services server role, see Active Directory Certificate Services (http://go.microsoft.com/fwlink/?linkid=136444) in the Windows Server Technical Library.

For more about the Routing and Remote Access role service, see Routing and Remote Access (http://go.microsoft.com/fwlink/?linkid=153482) on TechNet, and Routing and Remote Access Service in the Windows Server Technical Library.