Renew SSL certificate Remote Desktop Services 2016

3 Replies

Nội dung chính Show

Remote Desktop SSL Certificate Renewal - Connection Problems
Answers
All replies
Renew your Remote Desktop Server SSL Certificate
Generate a CSR Code for Remote Desktop Services

· · ·

Mace

Best Answer

JitenSh

Jul 3, 2020 at 13:41 UTC

Users will not be able to RDPthey will get a certificate error, better renew it for 3 yeras

CREATE A NEW CERTIFICATE REQUEST:CSR

Launch IIS Manager and click the SERVER name (not the websites or virtual directories)In the IIS section, click SERVER CERTIFICATES (if you don’t see this, you are likely not at the server level, go click on the server name at the top of the IIS Manager CONNECTIONS tree)Click CREATE CERTIFICATE REQUEST and complete the form. Note that the only things that really counts is the certificate name (like tsg.commodore.ca) and company information.Click NEXT and on the CRYPTOGRAPHIC screen, leave the default MICROSOFT RSA… provider option but you mush change the BIT LENGTH to 2048.Specify a path for the CSR. I like C:\ but it realy make no difference.

SUBMIT YOUR CSR AND GET A NICE NEW CERTIFICATE:

Surf on over to GODADDY.COM or your favourite provider.Pay them for the certSubmit the CSR.Wait for an approval request email from GoDaddy (or whoever you used).Click the link in the approval request email and approve the request.Wait anywhere from 2 minutes to 2 hours and check your GoDaddy account for the new cert then download it to your server.�Perhaps everyone does this but I no for sure that GoDaddy will take your new cert dates and extend them by the amount of time left on your exisiting cert. For example. If you buy a new 3 year cert and your current cert expires in two months, GoDaddy will give you a new cert which expires in t 3 years and two months.GoDaddy will give you two certs: 1: your cert 2: an intermediate cert. If this is a renewal, you can ignore the intermediate cert because you already installed in when you installed your first cert.If you have any questions, call GoDaddy at 480 505 8877 any time day or night, they are awesome. (And no, GoDaddy does not pay me anything… I just like them.)

INSTALL A CERTIFICATE ON THE TS/RD GATEWAY SERVER:

Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:Click Start, click Run, type mmc, and then click OK.On the File menu, click Add/Remove Snap-in.In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.In the Certificates snap-in dialog box, click Computer account, and then click Next.In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.In the Add or Remove snap-ins dialog box, click OK.In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Personal.Right-click the Personal folder, point to All Tasks, and then click Import.On the Welcome to the Certificate Import Wizard page, click Next.On the File to Import page, in the File name box, specify the name of the certificate that you want to import, and then click Next.On the Password page, do the following:If you specified a password for the private key associated with the certificate earlier, type the password.If you want to mark the private key for the certificate as exportable, ensure that Mark this key as exportable is selected.If you want to include all extended properties for the certificate, ensure that Include all extended properties is selected.Click Next.On the Certificate Store page, accept the default option, and then click Next.On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected.Click Finish.After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.With Certificates selected in the console tree, in the details pane, verify that the correct certificate appears in the list of certificates on the TS Gateway server. The certificate must be under the Personal store of the local computer.

MAP A CERTIFICATE TO THE LOCAL TS / RD GATEWAY SERVER:

You must use TS Gateway Manager to map the TS Gateway server certificate. If you map a TS Gateway server certificate by using any other method, TS Gateway will not function correctly.Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.In the TS Gateway Manager console tree, right-click the local TS Gateway server, and then click Properties.On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates.In the Install Certificate dialog box, click the certificate that you want to use, and then click Install.Click OK to close the Properties dialog box for the TS Gateway server.If this is the first time that you have mapped the TS Gateway certificate, after the certificate mapping is completed, you can verify that the mapping was successful by viewing the TS Gateway Server Status area in TS Gateway Manager. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed

· · ·

Pure Capsaicin

DragonsRule

Jul 3, 2020 at 16:59 UTC

Microsoft Remote Desktop Services expert

102 Best Answers

339 Helpful Votes

blackivory wrote:

Well, if I'm not mistaken, if I use a paid SSL certificate I will have the problem only once per year but I think there will be no difference in managing expired cert.

Or if I renew paid cert, will the certificate update also in remote client pc (i can't use deploy from office DC)?

If you get one that's from a trusted source, the PCs will trust it without you having to issue anything. That would work the same as going to as web site from a bank or something.

When you self sign you can't make that happen though, so you need to get the cert to the PCs.

· · ·

Pure Capsaicin

dbeato

Jul 6, 2020 at 16:28 UTC

blackivory wrote:
Hi All,
I'm testing RD Gateway with self-signed certificate for RDP from remote pc, almost all out office domain.

It will expire on Jan 2021: at that date what will happen?
All users will not access in rds server I presume so, how to manage this fact?
If I renew cert before expire day, yet no user access, right?

The only way is to inform customer about a little production stop , to renew cert and to send a new certificate to users?

Well, if I'm not mistaken, if I use a paid SSL certificate I will have the problem only once per year but I think there will be no difference in managing expired cert.

Or if I renew paid cert, will the certificate update also in remote client pc (i can't use deploy from office DC)?
Thanks

Regards
Stefano

What if you setup a Let's Encrypt SSL and it will change it automatically on the RD Gateway?

https://certifytheweb.com/

https://community.certifytheweb.com/t/post-renewal-script-for-binding-new-certificate-to-remote-desk...

https://community.certifytheweb.com/t/rdweb-remote-app-windows-server-2016-issues/512/5

https://www.mcbsys.com/blog/2019/05/certify-the-web-on-server-2016-with-essentials/

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

Remote Desktop SSL Certificate Renewal - Connection Problems

Archived Forums

Remote Desktop Services (Terminal Services)

Question
0

Sign in to vote

I am running a local server with Server 2012 R2 Essentials. I had an SSL certificate, through GoDaddy, installed last year when I set this thing up. It recently expired, and I went through the renewal process. In the server IIS manager, in Server Certificates, I have the newest certificate installed for the remote web access site (i.e. remote.domain.com).

Then, under Default Web Site -> Bindings, I selected the new certificate for both port 443 host names as I had previously.

Everything was working fine before the certificate expired. However, now when trying to access via the RDWeb, the site is showing as not secured. Also, when connecting through the RDP, even on my local domain, I am getting the error "This computer can't verify the identity of the RD Gateway "abc.domain.com"...

I've tried viewing & installing the certificate, but the problem persists. I've checked the Server Manager -> Remote Desktop Services Deployment, and under Certificates, it is showing all (RD Connection Broker - Enable Single Sign On, RD Connection Broker - Publishing, RD Web Access, and RD Gateway) as Untrusted. I did attempt to create a new certificate here to no avail.

Forgive me for not being an expert... just a small business owner trying to continue allowing my users remote access from home. The process of renewing an SSL certificate seems overly complicated here. Any help is appreciated! I have searched for a solution all morning and haven't been able to figure out where I've gone wrong.

-Jon

Monday, March 13, 2017 6:13 PM

Answers

0

Sign in to vote

Hi Jon,

1. On your server, please open certlm.msc . Under Personal -- Certificates, please verify that your new certificate (the one with future expiration date)is present, and double-click to view it. On the bottom of the General tab, there should be a yellow lock icon with the words "You have a private key that corresponds to this certificate.". If the private key isn't there then you cannot use the certificate and must re-do the cert process.

2.In IIS Manager, please double-check that your new certificate is listed for 443 binding. Please click the View button to verify the precise certificate thatis assigned.

3. In RD Gateway Manager, please double check that your new certificate is assigned.

Please reply back with your results and findings.

Thanks.

-TP
- Proposed as answer by TP []MVP Wednesday, March 15, 2017 12:13 PM
- Marked as answer by TP []MVP Monday, May 1, 2017 1:56 AM
Monday, March 13, 2017 7:57 PM
0

Sign in to vote

Hi Jon,

For this new issue I recommend you check all your DNS records to make sure they are correct, both on your internal DNS server and your external provider. To assist with troubleshooting, I suggest you start a capture on a workstation using Wireshark/Netmon, open Outlook, stop capture, and examine. In this way you can see precisely which server Outlook is connecting to and downloading the expired certificate from.

-TP
- Marked as answer by TP []MVP Monday, May 1, 2017 1:59 AM
Wednesday, March 15, 2017 12:16 PM

All replies

0

Sign in to vote

Hi Jon,

1. On your server, please open certlm.msc . Under Personal -- Certificates, please verify that your new certificate (the one with future expiration date)is present, and double-click to view it. On the bottom of the General tab, there should be a yellow lock icon with the words "You have a private key that corresponds to this certificate.". If the private key isn't there then you cannot use the certificate and must re-do the cert process.

2.In IIS Manager, please double-check that your new certificate is listed for 443 binding. Please click the View button to verify the precise certificate thatis assigned.

3. In RD Gateway Manager, please double check that your new certificate is assigned.

Please reply back with your results and findings.

Thanks.

-TP
- Proposed as answer by TP []MVP Wednesday, March 15, 2017 12:13 PM
- Marked as answer by TP []MVP Monday, May 1, 2017 1:56 AM
Monday, March 13, 2017 7:57 PM
0

Sign in to vote

TP,

Thank you for the assistance. The certificate is valid and applied properly now. After hours of troubleshooting, I decided to give the old "reboot the server" fix a try, and voila, everything was working (to an extent). You would think if a reboot was required it would prompt you to do so.

Here's the extent... My client computers are now all getting a warning message upon opening Outlook (we use Office 365, Exchange hosted by Microsoft... no local Exchange server) saying the certificate for "ourdomain.com" is expired. My local server is my domain controller, and my domain is hosted by GoDaddy. So somewhere in the server settings (maybe it's my server??) is hiding my old certificate that expired a few days ago.

I've drilled through the certificate snap-in and the expired certificate is nowhere to be found. I've contacted GoDaddy customer support, and they said everything is up to date on their end. I've contacted Office 365 customer support, and the same from them. I don't know where this issue lies, but most of the searching I've done points to my domain controller having the issue.

-Jon

Wednesday, March 15, 2017 12:05 PM
0

Sign in to vote

Hi Jon,

For this new issue I recommend you check all your DNS records to make sure they are correct, both on your internal DNS server and your external provider. To assist with troubleshooting, I suggest you start a capture on a workstation using Wireshark/Netmon, open Outlook, stop capture, and examine. In this way you can see precisely which server Outlook is connecting to and downloading the expired certificate from.

-TP
- Marked as answer by TP []MVP Monday, May 1, 2017 1:59 AM
Wednesday, March 15, 2017 12:16 PM
0

Sign in to vote

Hi Jon,

If the above reply has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

Thank you.

Best Regards,

Jay
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact .

Thursday, March 23, 2017 11:43 AM

Renew your Remote Desktop Server SSL Certificate

Kim Pham
October 1, 2020

Share on linkedin

Share on twitter

Twitter

Share on facebook

Facebook

There are many articles online on how to renewal a SSL certificate, however they are generic and not focused on Remote Desktop Servers. Below is a quick and easy way to renew your SSL Certificate on your RDS or Terminal Server.

As we are Aussie based, this guide uses Synergy Wholesale as the reseller of SSL Certificates.

Okay lets go:

Generate a CSR Code for Remote Desktop Services

When applying for an SSL Certificate, you must generate a CSR code and submit it to the CA. The CSR includes contact details about your website or company. Depending on the version of your Remote Desktop Gateway Server, you can create the CSR in the same release of IIS. Microsoft IIS server comes pre-installed with every version of Windows.

For instance, if you use RDS 2016, you will generate your CSR in IIS 10 which is included in Windows Server 2016.

We’ve already written comprehensive guides on how to generate a CSR code on various IIS versions. Use the links below to find the relevant guide:

How to Generate a CSR code in Microsoft IIS 7? (RDS 2008)
How to Generate a CSR code in Microsoft IIS 8 & 8.5? (RDS 2012)
How to Generate a CSR code in Microsoft IIS 10? (RDS 2016)

After you create your CSR and complete the SSL validation, the CA will send all the necessary certificate files to your inbox. You can now proceed to SSL installation.