RRAS: If there are multiple valid certificates for SSTP then the preferred certificate should be specified

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Storage Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2


Routing and Remote Access Service (RRAS)






There are multiple valid certificates for SSTP, and the administrator selected 'Default' instead of specifying the certificate to be used for SSTP.


If there is more than one valid certificate for use with SSTP and 'Default' is selected, then RRAS does not know which certificate to use and selects one at random. The selected certificate might not be the one intended for this use.


Use 'Routing and Remote Access' in Server Manager to select a certificate to use for SSTP on the Routing and Remote Access Properties page.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To specify the SSTP certificate to be used

  1. Start Server Manager. Click Start, click Administrative Tools, and then click Server Manager.

  2. In the navigation tree, expand Roles, expand Network Policy and Access Services, then right-click Routing and Remote Access and then click Properties.

  3. On the Security, under SSL Certificate Binding, select the certificate that you want to use for SSTP in the Certificate list, and then click OK.

  4. You can view the properties of the selected certificate by clicking View

Additional references

For more information about SSTP deployment, see SSTP Remote Access Step-by-Step Guide: Deployment (http://go.microsoft.com/fwlink/?linkid=142711).

For more about creating certificates by using the Active Directory Certificate Services server role, see Active Directory Certificate Services (http://go.microsoft.com/fwlink/?linkid=136444) in the Windows Server Technical Library.

For more about the Routing and Remote Access role service, see Routing and Remote Access (http://go.microsoft.com/fwlink/?linkid=153482) on TechNet, and Routing and Remote Access Service in the Windows Server Technical Library.