We are planning our Direct Access environment now and plan to also use SSTP VPN on the same box.

I understand that the best practice is to use a certificate published by a public CA for the outward facing IP-HTTPS listener and we plan to do this however during testing we would like to use a certificate created from our internal CA. If our testing phase is successful and we plan to go ahead we would then buy a public CA certificate and replace the internally created one.

I would just like to know how much of an issue/hassle it would be to do this. I believe that during the DA setup wizard it automatically inserts the certificates you provide. Is it a problem to change it afterward? Do you have uninstall DA and run through the wizard again? Thanks.

It should work fine as long as the certificate is trusted by your clients and you have the CRL published externally. The CRL is usually the sticking point when using private internal PKIs to issue IP-HTTPS or SSTP VPN certificates.

Or you can use a Public 30-day trial SSL that is supported on all Clients.

The hassle of changing it, will be the same as when you are renewing a public SSL certificate in the future. And yes, you have to re-run the wizard again, after you have imported the new SSL certificate on the DA server.