In this post I’ll go through the process to implement certificates in a Microsoft RDS farm with Windows 2008 R2. It assumes that the RDS Gateway, Session Broker, Web Access and Session Host servers are installed and configured with remote apps already working.
The process describes how to generate the certificate request from a Windows 2008 R2 server, generate a Personal Information Exchange certificate so the same certificate can be used to sign RDP files on other servers that are part of the same rds farm; and configure the RDP connection and RemoteApp to use the certificate for server authentication and sign RDP files.
Note that during the process of generating the Personal Information Exchange the private key will be removed from the server where the server certificate was generated and stored with the .PFX file being password protected; this is done to protect the private key for the certificate.
Creating a Certificate Signing Request
Open Microsoft Management Console (mmc) and add the Certificates snap-in to configured for the local computer. From the Personal store under Certificates (Local Computer) Select All Tasks\Advanced Operations\ Create Custom Request …
This will bring the Certificate Enrolment window. Press Next once and it will prompt you to Select Certificate Enrolment Policy. Select Proceed without enrollement policy under Custom Request.On the Custom Request select the following options
- Template: (No Template) Legacy key
- Request format: PKCS #10
UPDATE: if you still have XP clients on your network then select CGN Key on the Template field, as per Rod comment below.
On the Subject tab you will need to add the following properties, they are shown below with some values for example only. The Common Name is the FQDN of the RDS farm:
- Common Name (CN) = rds.lab.local
- Organizational Unit (OU) = IT
- Organization (O) = The sheep network
- Locality (L) = London
- Country (C) = GB
Unless the RDS farm name changes or the certificate expires the CSR is only required to be completed once. After the certificate request is signed by a Certification Authority (CA), Entrust or a private CA, the same certificate can be used on the other RDS servers; but it is required to be installed on the server were the request was made from first so it can be exported with its private key; and it is this certificate with the private key (pfx) that will be imported to the other RDS servers in the farm.
Once the certificate has been generated by the CA it will need to be imported into the server where the certificate request was generated.
If the import was successful you will notice that on the store it will have a small key on its icon ; if this isn’t the case then the server isn’t the server where the request was created and this certificate should be removed.
Export Personal Information Exchange (.PFX)
In order for a certificate be used for code-signing it needs to have a private key, this can be obtained from the server where the certificate was requested and imported and its identified by a small key on the certificate icon in the personal store .To start the export select the certificate then right-click select All Tasks\Export…
Note the presence of a key in the certificate icon
Select Personal Information Exchange – PKCS #12 (.PFX) as the Export File Format, tick the Include all certificate in the certification path if possible and Delete the private key if the export is successful.
Keep the password and .PFX in a safe location as they are required to install the certificate on other machines.
Import Personal Information Exchange (.PFX)
To import the Personal Information Exchange certificate use the same procedure as described in Import certificate but select the .pfx file when prompted in the File to Import if using Browse change the file type to Personal Information Exchange.
Refer to Import Certificate for further instructions.
Signing RDP files
A Windows Security window will pop-up with a list of valid certificates, select the certificate generated in the previously, press Ok
RDP server authentication
This will change the certificate presented to the clients by the RDS server