0

We currently have an SSTP server (running on Windows Server 2008 R2 but it is being migrated to Windows Server 2016). At the moment, the server is configured using a wildcard certificate for one of our domains, lets call it *.olddomain.com.

As you can imagine from the example, the domain is old and we've already got a new certificate: *.newdomain.com.

The VPN is accessible via DNS entries for both of these domains:

  • vpn.olddomain.com
  • vpn.newdomain.com

Unfortunately, it seems that the SSTP configuration in Windows permits me to set up only one certificate. I COULD just switch to the new one, but then every client which hasn't updated the hostname will likely have issues connecting (the publisher of these certificates is publicly trusted, but I don't think a client accessing olddomain.com will be too happy to get a certificate for newdomain.com).

Is there a way to have both certificates running at the same time so that both hostnames can be used?

Shaamaan
  • 327
  • 2
  • 7
  • 21
  • Did you add a subject alternative name to the certificate? – Greg Askew Aug 06 '18 at 12:34
  • @GregAskew I would, but I can't. It's a fairly cheap wildcard certificate bought from a public certificate provider, and as it is, I can't really change anything about it. The old one, obviously, was bought a long while ago, while there didn't seem any reason to add anything extra to the new one (still being in possession of the old one, after all)... – Shaamaan Aug 06 '18 at 15:44
  • The HTTPS listener can have only one certificate for a given IP address/port number pair. If you do not use a subject alternative name, the answer is no. – Greg Askew Aug 06 '18 at 17:33
  • @GregAskew If there's no way around that, feel free to make that an official answer. I'll accept it... if a bit reluctantly. ;) That said - I am a bit surprised. You can, after all, create multiple bindings (IP / hostname / port combo) for a single IIS site and have each use a different certificate, which is why I was hoping it's possible to do something similar with the SSTP server... – Shaamaan Aug 06 '18 at 21:07
  • 1
    HTTPS got SNI for exactly that ... not all protocols support that though. A second IP may also be a solution. – Gerald Schneider Aug 09 '18 at 14:04

0 Answers0