This step by step guide will show you how to install an SSL Certificate on Remote Desktop Services [RDS]. You will also learn a few interesting facts about RDS, and discover the best place to shop for any type of SSL Certificates. If you still haven’t generated your CSR [Certificate Signing Request] and passed the SSL authentication, refer to the CSR Generation tutorials in the first part of this guide.
Generate a CSR Code for Remote Desktop Services
Install an SSL Certificate on Remote Desktop Services
Test your SSL Installation
Remote Desktop Gateway history and versions
Where to buy an SSL Certificate for Remote Desktop Services?
Generate a CSR Code for Remote Desktop Services
When applying for an SSL Certificate, you must generate a CSR code and submit it to the CA. The CSR includes contact details about your website or company. Depending on the version of your Remote Desktop Gateway Server, you can create the CSR in the same release of IIS. Microsoft IIS server comes pre-installed with every version of Windows.
For instance, if you use RDS 2016, you will generate your CSR in IIS 10 which is included in Windows Server 2016.
We’ve already written comprehensive guides on how to generate a CSR code on various IIS versions. Use the links below to find the relevant guide:
After you create your CSR and complete the SSL validation, the CA will send all the necessary certificate files to your inbox. You can now proceed to SSL installation.
Install an SSL Certificate on Remote Desktop Services
Before beginning the installation, make sure you have all the required SSL files.
- Your server certificate: this is your SSL certificate with .cer or .crt You need to extract it from the ZIP archive that you’ve received from your CA and save it on your device.
- Your intermediate certificates: this is the .ca-bundle file from your ZIP archive
- Your private key: this is the .key You’ve generated it along with your CSR code.
- To access the Remote Desktop Gateway Manager, click Start > Administrative Tools > Remote Desktop Services > Remote Desktop Gateway Manager
- In the Remote Desktop Gateway Manager Console tree, right click on RD Gateway Server and then select Properties
- Next, click on the SSL Certificate tab, and then on Import a certificate on the RD Gateway Certificates [local computer]/personal store
- Click on Browse and import certificate
- Locate your SSL Certificate and click Open
- Enter the password that you’ve created for your Private Key
- Click on Import Certificate and then OK
- Restart your server for changes to take effect.
Congratulations, now you know how to install an SSL Certificate on Remote Desktop Services.
Test your SSL Installation
After you install the SSL Certificate on RDS, type your URL in your browser’s address bar to check the SSL padlock and certificate information. Even if everything displays correctly, we recommend doing a thorough test of your SSL configuration that’ll pinpoint potential hidden errors and vulnerabilities. These powerful SSL tools deliver instant scans and reports on the state of your SSL Certificate.
Remote Desktop Gateway history and versions
Remote Desktop Services [RDS] is one of the components of Microsoft Windows that allow users to access a remote computer or virtual machine over a network connection. RDS was known as Terminal Server, until Microsoft renamed it 2009, and introduced the first RDS version in Windows Server 2008 R2.
Remote Desktop Gateway allows authorized users to connect to virtual desktops, Remote-App programs, and session-based desktops over a private network or the Internet. At the moment of writing this article, there are 4 versions of Remote Desktop Gateway:
- Remote Desktop Gateway 2019
- Remote Desktop Gateway 2016
- Remote Desktop Gateway 2012
- Remote Desktop Gateway 2008
Where to buy an SSL Certificate for Remote Desktop Services?
If you’re looking for affordable SSL Certificates, then SSL Dragon is your best SSL vendor. Our intuitive and user-friendly website will walk you through the entire range of SSL Certificates. All our products are issued by reputable Certificate Authorities and are compatible with Remote Desktop Services. We offer the following SSL validation types:
We bring you the lowest prices on the market and dedicated customer support for any certificate you choose. And, if your struggling to find the ideal cert for your website, use our SSL Wizard and Advanced Certificate Filter tools to get suggestions.
If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.
One of the most popular posts of all time on my blog has been Create Trusted Remote Desktop Services [RDP] SSL Certificates for Windows 2008R2/2012/Win7. That article is a few years old, so I thought I would update it for Windows Server 2019 and Windows 10. The fundamentals have not changed, but I had a few requests for an updated post...so here it is!
When you install Windows it installs self-signed certificates for use with RDP. As we all know self-signed certificates are not good, and represent a security risk. Even if you install a Microsoft CA in your environment the RDP certificates are not automatically trusted. This post will show you to to automate the process of distributing trusted SSL certificates to the RDP service. As a result of this post you will no longer see the warning below when you RDP into your servers.
The high level process is creating a new certificate authority template that's unique to RDP certificates. Next you setup a GPO to request these new certificate types, and finally on all servers covered by the GPO you now have a trusted RDP certificate. Fairly easy and once you configure it, you can forget about it. This blog post is based on Windows Server 2019, but the same steps work for Windows Server 2016 as well. The certificates are also good for Windows 10, if you need to RDP into a client OS [such as for VDI].
1. On your Microsoft certificate authority server open the Certificate Templates console.
2. Expand the CA and right click on Certificate Templates, then select Manage.
3. Right click on the Computer template and select Duplicate.
4. Change the template display name to RemoteDesktopComputer [no spaces]. Verify the Template Name is exactly the same [no spaces]. You can use a different name if you want, but both fields must match exactly. Change the validity period to match your company policy.
5. Now we need to create an application policy to limit the usage to RDS authentication, then remove the other application uses for the certificate. On the Extensions tab click on Application Policies then click on Edit.
6. Click on Add, then click on New. Set the value of Name to Remote Desktop Authentication. Change the object identifier [OID] to 1.3.6.1.4.1.311.54.1.2.
7. From the Application Policies list, select Remote Desktop Authentication and click OK.
8. Back on the certificate template properties, remove all other entries. Only Remote Desktop Authentication should be present.
9. You probably want to secure your domain controllers as well, so for that we need to modify the security setting on the template. Open the Security tab and add the group Domain Controllers and give the group Enroll [not Autoenroll]. Close out the certificate.
10. Open the MMC snap-in for managing your Certificate Authority and locate the Certificate Templates node. Right click, select New, then Certificate Template to Issue. Choose the RemoteDesktopComputer template.
1. Next up is configuring the GPO to utilize the new template. You can modify any GPO you wish, or create a new one. Obviously the scope of the GPO should cover any servers that you want to secure with TLS.
2. In the GPO editor locate the node Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security. Modify the Server Authentication Certificate Template setting. Enable the policy and enter the certificate template name that exactly matches what you created in your CA.
3. In the same GPO node, configure the Require use of specific security layer for remote [RDP] connections to use SSL.
4. Wait for the GPO to replicate, then refresh the GPO on a test server. Wait a minute, then open the Certificates MMC snap-in for the computer account. Look in the PersonalCertificates store for a certificate that has the Intended Purposes of Remote Desktop Authentication. If it’s not there, wait a minute, and refresh. If it never appears, something is wrong. Look at the gpresult to make sure your GPO is being applied to the server.
5. To use the new certificate restart the Remote Desktop Services service [or reboot].
6. Open the Certificate and look at the Thumbprint value. Remember the first few characters.
7. Open an elevated PowerShell prompt and run this command:
Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices
Validate that the Security Layer value is 2 and that the thumbprint matches the certificate. If both of those settings are correct, then you are good to go!
8. From another computer [domain joined] now RDP into this server and verify that you no longer get the certificate warning. In fact, it should just sail right through to your desktop.
The procedure for Windows Server 2019 and Windows 10 is basically the same as 5+ years ago when I documented it for Windows Server 2008 R2/2012/Win7. But it's good to validate that the procedure still works, and give the audience a fresh post. You can check out my 2013 post titled: Create Trusted Remote Desktop Services [RDP] SSL Certificate if you want it for 2008 R2/2012 servers.