Server 2012 RDS Certificate Solution

Everything I had read online pointed to having a Public SAN certificate or using a Self-Signed certificate and pushing it out via group policy. I could not find anything about using an Enterprise CA to delve out a certificate for RDS. This got me thinking about using a SAN certificate internally, but how?

On your Enterprise CA you can run the following commands to allow for SAN Certs
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Next lets open the Certificates Templates Console
Right-Click the Computer certificate and click “Duplicate Template”.

RDS-General

I just called this template RDS-Cert and set the Validity period to 4 Years.

RDS-Compatibility

I set the Compatibility Settings to 2012 CA and 2012 Server.

RDS-RequestHandling

Make sure to check the box for allowing the private key to be exported. This is a requirement for RDS. It does not allow you to select a certificate from the local certificate store.

RDS-Extension

Under Application Policies, we only need Server Authentication.

RDS-Subject

We want to make the user supply the information so that they can enter in *.domain.local for CN and DNS.

RDS - Import Cert

Now that we have created the template import it into the CA templates folder.

RDS - New Cert
On the RDS server, open up the MMC for certificates and request a new certificate. Select the one we called RDS-Cert and click on the more information link.

RDS-CertProperties

You need to provide the Common Name and the DNS name of *.domain.local. Click OK and click enroll. When finished export the key, with its private key, give it a password and name it with a .pfx extension.

RDS-Deployment Properties

Highlight each role service one at a time and select existing certificate. Select the pfx file you just exported and enter the password. Click the check box that is at the bottom and hit OK. You have to select apply after each service. Once this is complete everything will say trusted and OK.

One thought on “Server 2012 RDS Certificate Solution

  1. I have exactly this need. I am putting up an RDS farm in a (for now) internal AD domain environment, and finding that the self-signed certificate shows as ‘untrusted’.

    I tried to follow this guide, but it seems that a number of steps are not explicitly included. Are you willing to include the missing pieces ?

    An example of that would be the step before “We want to make the user supply the information”. Clicking OK to complete the configuration seems to be implied, but is not specifically mentioned there. In the figure below that, the ‘Manage / New / Certificate Template to Issue’ menu is reached from the Certification Authority snap-in, but there is no mention of switching to that snap-in from the Certificate Templates snap-in being used above.

    The sequence for importing the template into the CA Templates folder is not detailed at all.

    Unfortunately, there are very few detailed guides out there on this subject, and this is the first one I have found that addresses the issue of creating certificates that show as ‘trusted’. There are many variables and options, and being able to successfully navigate the process of getting this task completed is a huge step toward gaining an understanding of what is involved.

    I hope you will be able to respond.

    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *