Came across an interesting issue today. This was on a SBS 2008 server which has had a 3rd party certificate installed before without any issues.

Renewed the certificate and installed it using the wizards and everything appeared to work fine, except the SSTP VPN connections now rejected Error: 619.

After a bit of head scratching here is the issue and resolution.

Error 619 reports that the certificate hashs do not match (which in this case was the issue).

Step 1: Run “netsh http show ssl” in an administrator command prompt. Check to see if both of the IPV4 :443 hashs are the same listed here. My guess is they will be different (if so follow to the next step)

Step 2: Click Start and type “mmc” and press enter, now click File ->Add/Remote Snapin -> Certificates -> Local Computer and follow the Next buttons. Click Personal -> Certificates and find the new certificate you have just installed. Double click the certificate -> Details -> scroll to the bottom and copy the ThumbPrint. Now take all of the spaces out so it heads something like this “f7a0z0b21773c4a2761f0b34588fafb895245e82”.

Step 3: Run these commands from an elevated command prompt ->

netsh http delete sslcert ipport=0.0.0.0:443

netsh http delete sslcert ipport=[::]:443

reg delete HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA256CertificateHash /f

netsh http add sslcert ipport=0.0.0.0:443 certhash=YourHashFromAbove appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

netsh http add sslcert ipport=[::]:443 certhash=YourHashFromAbove  appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

net stop sstpsvc /y

net start remoteaccess

The first three commands remove both of the network bindings and the certificate hash from the registry, the second 2 then add the new hash in for both of the network bindings. The last 2 restart SSTP and remote access services.

Once you have completed the above steps if your issue is that the certificates don’t match then this should resolve your issue.