Solved

How to install computer certificate?

Posted on 2010-09-20
28
1,637 Views
Last Modified: 2013-11-21
Can anyone tell me how to create or install a certificate on my server?
Or get into Personal or Trusted certificate store?

I am trying to setup W2K8 R2 RDS connection manager and requires that I install a digital certificate on my server.

I have a W2K8 R2 domain controller with Certificate services installed and a separate server with RDS connection manager role installed.
I am stuck at trying to install or add a digital certificate to sign

Could someone please give me the next steps?
rds.jpg
0
Comment
Question by:romatlo
  • 14
  • 14
28 Comments
 
LVL 9

Expert Comment

by:esmith69
ID: 33720122
0
 

Author Comment

by:romatlo
ID: 33727858
Thank you for the response!
However, would you mind being more specific?
I have looked at a lot of these docs and I must admit that I am not good with certificate services and find it really confusing, etc.

I know that it must be something fairly simple for someone familiar with it?

I have CA role installed on domain controller and even gone through requesting cert from http://servername/certsrv but does not work for me.
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33729256
Is the CA role installed on a computer runnning Server 2003?  If so, you'll need to follow this article as there is a known incompatibility when your CA runs 2003 but the OS of the server you're trying to generate a certificate for is running Vista or Server 2008.  http://go.microsoft.com/fwlink/?LinkId=94472

Assuming your CA is on a 2008 or later machine, then I'd need to know more detail about what part of the process fails.

Essentially there are two steps to the certificate process:  1) create the certificate request file (CSR)--basically just a text file with a bunch of gibberish that is actually unique to the computer it comes from, 2) process the CSR on your CA, which will then generate the certificate which you can install onto the server using the link I sent you in my first post.

Since you've already installed the remote desktop gateway manager, I believe the steps to create a CSR file for that would be as follows:  1) open up the remote desktop gateway manager via administrative tools.  2)Highlight the server on the left, then select "view or modify certificate properties".  I think at that point it will give you the option to create a CSR that you can then send to a certification authority (in your case, your CA server).
0
 

Author Comment

by:romatlo
ID: 33736731
Thanks esmith69!!

Yes, I am running CA role on W2K8 R2 and is also domain controller (and DHCP server).

Separate W2K8 R2 server with the following roles configured.
Remote Desktop services for virtual desktop
Remote Desktop Connection Manager

The first thing I did after the screenshot above, was go to http://server/certsrv and go through request, etc which seem to work, said install of cert was successful but I can not find it and still comes up empty like above.

I think I need to follow your steps by creating the cert first on CA, process it, etc.

Could you tell me how to do that?
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33737032
Did you copy the request file to the CA and use it to generate a certificate file?  Once you do that and the certificate has been generated, you then just copy the certificate to the remote desktop server and use the connection manager utility to select the certificate file.
0
 

Author Comment

by:romatlo
ID: 33737560
Ok, I went through my IE browser to request a new certificate and ended up naming it and downloading a certnew.crt file.  Is this what I copy to the CA to generate a new cert or is this it?
Where do I copy it to and how what are the steps in the CA to generate a certificate file?

See attachments.  I've already tried clicking on Install button, but still does not provide a cert for me to choose on the connection manager screen.
cert1.JPG
cert2.JPG
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33737963
Ok, you need to take the file certnew.crt and copy it to your remote desktop connection manager server.  Then load up the console for the remote desktop connection manager (same place as where you went to create the certificate request file at the beginning).  There should be an option in there to install a certificate, and you then will point to the certnew.crt file.

0
 

Author Comment

by:romatlo
ID: 33738539
I wish that worked, but it says none available and has to option to point it to file.  See attached cert3.jpg
I think it needs to be in the local computer trusted certificate store?

Could we forget the certnew.crt and start over?  I could start again from the RDS server submitting a new web request to my CA server.  See attached cert4.jpg

I appreciate the time, and likely drag into tomorrow :)  Thanks again.
cert3.JPG
cert4.JPG
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33738639
What did you use to generate the CSR?  Was it within the RDS manager console?  If so, can you post a screenshot of that part of the process?
0
 

Author Comment

by:romatlo
ID: 33738810
My first original step after the 1st screenshot at the top of this thread on RDS server was to:
- Install CA role on domain controller IP 10.1.2.2
- From RDS server IP 10.1.2.3 I browse to http://10.1.2.2/certsrv and made a new request.  But maybe I did it wrong!

So could I just start again a new request from IE or whatever step you think needs to be done first?
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33739268
I believe the request has to come from the program or site that the certificate is to be for.  At least, that's usually how it's done with Windows servers and IIS.  You would go into that program and tell it you want to obtain a certificate, and sometimes it will send the request to your CA automatically, other times you have to manually copy and paste the contents of the request into that web-based utility and then it will process it.

When you logged in to the web-based CA page, did it tell you had pending certificate requests?
0
 

Author Comment

by:romatlo
ID: 33748256
No message about pending requests.

Right, I am opening IE on my RDS server and browsing to my CA (installed on domain controller) at http://10.1.2.2/certsrv.
At the screen attached.  What next?

cert4.JPG
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33748276
You would do "request a certificate", then it will have you copy and paste in the CSR from your 2008 server
0
 

Author Comment

by:romatlo
ID: 33755113
Ok, clicked on Request a Certificate, now click what? :)  User or advanced?
I know this seems tidious, but I really do not know how to work with certs.
See pic of where I am now...
cert5.JPG
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Expert Comment

by:esmith69
ID: 33756109
advanced certificate request, then on the next page choose the second option ("Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.")

Then, copy and paste your CSR into the box where it says "saved request"
0
 

Author Comment

by:romatlo
ID: 33756785
Thank you so much for hanging in there.  I will continue this as soon as I can.  
0
 

Author Comment

by:romatlo
ID: 33771107
Sorry, I am on that screen now, but do not even know what a CSR is or what to paste in the Saved Request box.  Could you tell me what that is so that I may paste it?

From what I read it is a file and I need to paste the content of that file in this box, but I do not have that file.  Could you tell me how to generate that first?
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33772699
If you go into IIS and configure the default virtual directory for using an SSL certificate, it will go through the process of generating a CSR, which you then open up with notepad and copy/paste the contents into the certsrv page on your CA.

Here is an article that may help as well.  Specifically near the bottom it talks about how the certificate list in the RDC manager program gets populated.

http://technet.microsoft.com/en-us/library/ee216791.aspx
0
 

Author Comment

by:romatlo
ID: 33772993
Thanks for the response.

I do not have the IIS role installed on this server.  This server has the RD Session Host Configuration and Remote Desktop Connection Manager installed (including Hyper-V).  I do have IIS installed on the domain controller (which is CA server) but SSL options are greyed out.  How else could I generate this file?

I do see the Note that says the list is populated from the Computer Certificate Store and Personal Certificate store.  That is what I am trying to do! :)  

I'll have to figure out how to award more points...
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33773090
there is a way to generate a CSR from just powershell.  I need to look it up though.
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33773163
OK, let's back up to using the certsrv web page.  Access that from your RDC server and go to "create and generate a certificate", then choose the option to "create and submit a request to this CA".  Then go down to the bottom and click the "submit" button and it will say the website wants to get a certificate on your behalf, just click yes/ok.
0
 

Author Comment

by:romatlo
ID: 33773221
Ok thanks, I did that.  Should I click Install this certificate?


cert7.JPG
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33773405
sure
0
 

Author Comment

by:romatlo
ID: 33773435
Ok, it says "Your new certificate has been successfully installed".
What next? :)
0
 
LVL 9

Expert Comment

by:esmith69
ID: 33774006
Go back to the RDC manager program and see if it lets you choose the certificate
0
 

Author Comment

by:romatlo
ID: 33774596
Still says its empty :(  
0
 
LVL 9

Accepted Solution

by:
esmith69 earned 500 total points
ID: 33775303
You don't actually NEED to install a certificate for RDS Connection Manager.  If you use the web access component, then yes you'd need a certificate to secure the site, but you said you don't have IIS installed on this server so I am assuming you're not using the web access piece.

You only need the security certificate if you want to be able to digitally sign the RDC files when distributing them to clients.  It could be that the type of certificate that you created using the certsrv site is not quite what RDS connection manager is looking for.
0
 

Author Comment

by:romatlo
ID: 33783135
Ok thanks.  I am not sure what or why the instructions are asking me to go through those steps to select a signed cert for connection manager.

Although, I am installing in stages and do plan to implement Remote App access at some point.  I just have not got to that yet.

I will try a few other things and maybe move on in the install and see if works when I install the Remote App role or whatever.

I will close this thread and award your points.  Maybe we can pick it back up when I start a new thread :)

Thanks again!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now