Install SSL certificate Remote Desktop Services 2012

Hello everyone! This is a quick blog post that provides information on how to register TLS certificate with Remote Desktop Services [RDS].

Starting with Windows Server 2008 R2 it became extremely easy to deploy RDS certificates to AD hosts from private CA using group policies and Microsoft CA. Since then RDS over TLS should be a baseline configuration in any Active Directory environment. If for some reason certificate is not configured using GPO an autogenerated self-signed certificate is used which raises warning dialogs to connecting users. With GPO, you dont have to care about certificate lifecycle management [such as installation, configuration, renewal] and everything works without popping warning dialogs, because GPO certificates are issued by a centrally managed enterprise CA.

However, it is not always possible to use GPO. RDS Certificate GPO is simple in configuration and this puts limitations to settings:

• certificate is issued against RDS host name only
• requires that all connecting clients trust enterprise CA certificate

There are legitimate scenarios when administrators need a custom certificate with possibly additional names included in Subject Alternative Names [SAN] certificate extension or use 3rd party CA. Prior to Windows Server 2012 you could install a 3rd party certificate and associate with Remote Desktop Services using Remote Desktop Session Host Configuration MMC snap-in:

This MMC was gone in Windows Server 2012 and subsequent OS versions and never was available on client operating systems. This makes RDS configuration to use custom certificate installed in certificate store a bit complicated. Fortunately, there are automation means using WMI Win32_TSGeneralSetting class as follows:

First line retrieves path to RDS connection. By default, it is RDP-tcp. Specify custom RDS connection name if non-default connection must be configured. In the second line, specify a TLS certificate SHA1 thumbprint. It must be exactly 40 hexadecimal character long string without spaces and control characters. For example, 09d1a73113ceeae873d005a80e62699aa2d0bf05. You dont need to restart anything, setting is applied immediately to any new connection. Existing connections are not affected. This script can be used on client operating systems as well.

Just to clarify certificate requirements to comply with RDS:

1. The certificate is installed into computers Personal certificate store.
2. The certificate has a corresponding private key.
3. The Enhanced Key Usage extension has a value of either Server Authentication or Remote Desktop Authentication [1.3.6.1.4.1.311.54.1.2]. Certificates with no Enhanced Key Usage extension can be used as well.

Happy scripting with PowerShell!

Video liên quan