Everything I had read online pointed to having a Public SAN certificate or using a Self-Signed certificate and pushing it out via group policy. I could not find anything about using an Enterprise CA to delve out a certificate for RDS. This got me thinking about using a SAN certificate internally, but how?
On your Enterprise CA you can run the following commands to allow for SAN Certs
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
Next lets open the Certificates Templates Console
Right-Click the Computer certificate and click “Duplicate Template”.
I just called this template RDS-Cert and set the Validity period to 4 Years.
Make sure to check the box for allowing the private key to be exported. This is a requirement for RDS. It does not allow you to select a certificate from the local certificate store.
Under Application Policies, we only need Server Authentication.
We want to make the user supply the information so that they can enter in *.domain.local for CN and DNS.
Now that we have created the template import it into the CA templates folder.
You need to provide the Common Name and the DNS name of *.domain.local. Click OK and click enroll. When finished export the key, with its private key, give it a password and name it with a .pfx extension.
Highlight each role service one at a time and select existing certificate. Select the pfx file you just exported and enter the password. Click the check box that is at the bottom and hit OK. You have to select apply after each service. Once this is complete everything will say trusted and OK.