The Secure Socket Tunneling Protocol service could not configure the following certificate for use with Internet Protocol version 6 (IPv6).

Question

The Secure Socket Tunneling Protocol service could not configure the following certificate for use with Internet Protocol version 6 (IPv6).

Hong 1,246

I have taken a look at a few similar questions but feel their cases are different, so I I am asking for help here.

Here is an entry in Event Viewer:

The Secure Socket Tunneling Protocol service could not configure the following certificate for use with Internet Protocol version 6 (IPv6). This might prevent SSTP connections from being established successfully. Correct the problem and try again. Certificate Name - CN=*.mycomain.com A specified logon session does not exist. It may already have been terminated.

The certificate is valid.

Could anyone offer a tip on this?

Accepted answer

0 additional answers

Your answer

Answer 1

Marcin Policht 49,640 MVP Volunteer Moderator

The Event Viewer message you're seeing indicates that the Secure Socket Tunneling Protocol (SSTP) service failed to configure a certificate for IPv6 use, even though the certificate itself is valid. The error:

"A specified logon session does not exist. It may already have been terminated." typically points to a problem with the certificate’s private key usage in the system context, rather than an issue with the certificate validity itself.

Consider the following options

Missing or incorrect private key permissions

The SSTP service (running as Local System) needs access to the private key.
Fix:
- Open certlm.msc (Local Computer Certificates).
- Locate the certificate under Personal > Certificates.
- Right-click the certificate → All Tasks → Manage Private Keys.
- Ensure SYSTEM has Read permissions.

Certificate marked as non-exportable / not machine-stored

If the certificate was imported into a user store or marked as non-exportable, services running under SYSTEM can't access it.
Fix:
- Ensure the certificate is in the Local Computer store.
- Re-import it with the "Mark this key as exportable" option if needed.

Certificate Binding Issue

Even though the cert is valid, SSTP might not be properly bound to it.

Fix:

Use the following command to view bindings:
```
    netsh http show sslcert
```

To re-bind:

    netsh http add sslcert ipport=0.0.0.0:443 certhash=THUMBPRINT appid={APP-ID}

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Hong 1,246 Reputation points

2025-05-04T19:39:56.9466667+00:00

Thanks a lot for lending a hand here.

I followed your instructions to Manage Private Keys, but that option was not under All Tasks. I did some search to find the cause and tried to import the certificate again, but the import process did not ask for a private key. Could you offer a tip on this?
Marcin Policht 49,640 Reputation points MVP Volunteer Moderator

2025-05-04T19:49:03.31+00:00

This seems to imply that your certificate does not include the private key (only the public one)

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Hong 1,246 Reputation points

2025-05-04T20:11:15.8933333+00:00

Will it work without the private key? I have this for show sslcert.

I tried to rebind:

netsh http add sslcert ipport=0.0.0.0:443 certhash=7ea0385135946c079619aadd2a1d59947914e3c3 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

I got the following:

SSL Certificate add failed, Error: 183

Cannot create a file when that file already exists.

I ran:

netsh http add sslcert ipport=[::]:443 certhash=7ea0385135946c079619aadd2a1d59947914e3c3 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

Got:

SSL Certificate add failed, Error: 1312

A specified logon session does not exist. It may already have been terminated.
Marcin Policht 49,640 Reputation points MVP Volunteer Moderator

2025-05-04T21:26:13.1466667+00:00

You need the private key for decryption and signing

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Hong 1,246 Reputation points

2025-05-04T21:33:30.1066667+00:00

I deleted this:

then imported the certificate again but used the pfx file instead of the cer file, ran the following command again:

netsh http add sslcert ipport=[::]:443 certhash=7ea0385135946c079619aadd2a1d59947914e3c3 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

Got:

SSL Certificate successfully added

I tried to start the RRA service again, and it worked this time.

I forgot the password, so I had to export the certificate to get the password.
Marcin Policht 49,640 Reputation points MVP Volunteer Moderator

2025-05-04T22:53:52.0566667+00:00

Yep - .pfx files (unlike the .cer files) do include private keys.

Glad to see this worked

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Hong 1,246 Reputation points

2025-05-04T23:40:41.61+00:00

I am running into the old issue of this site again - I do not get email notifications for the posts that I follow, despite the correct setup of my account. I have to keep refreshing this page to see if there is anything new.

Share via

The Secure Socket Tunneling Protocol service could not configure the following certificate for use with Internet Protocol version 6 (IPv6).

0 additional answers

Your answer