Link to home
Start Free TrialLog in
Avatar of romatlo
romatlo

asked on

How to install computer certificate?

Can anyone tell me how to create or install a certificate on my server?
Or get into Personal or Trusted certificate store?

I am trying to setup W2K8 R2 RDS connection manager and requires that I install a digital certificate on my server.

I have a W2K8 R2 domain controller with Certificate services installed and a separate server with RDS connection manager role installed.
I am stuck at trying to install or add a digital certificate to sign

Could someone please give me the next steps?
rds.jpg
Avatar of esmith69
esmith69
Flag of United States of America image

Avatar of romatlo
romatlo

ASKER

Thank you for the response!
However, would you mind being more specific?
I have looked at a lot of these docs and I must admit that I am not good with certificate services and find it really confusing, etc.

I know that it must be something fairly simple for someone familiar with it?

I have CA role installed on domain controller and even gone through requesting cert from http://servername/certsrv but does not work for me.
Is the CA role installed on a computer runnning Server 2003?  If so, you'll need to follow this article as there is a known incompatibility when your CA runs 2003 but the OS of the server you're trying to generate a certificate for is running Vista or Server 2008.  http://go.microsoft.com/fwlink/?LinkId=94472

Assuming your CA is on a 2008 or later machine, then I'd need to know more detail about what part of the process fails.

Essentially there are two steps to the certificate process:  1) create the certificate request file (CSR)--basically just a text file with a bunch of gibberish that is actually unique to the computer it comes from, 2) process the CSR on your CA, which will then generate the certificate which you can install onto the server using the link I sent you in my first post.

Since you've already installed the remote desktop gateway manager, I believe the steps to create a CSR file for that would be as follows:  1) open up the remote desktop gateway manager via administrative tools.  2)Highlight the server on the left, then select "view or modify certificate properties".  I think at that point it will give you the option to create a CSR that you can then send to a certification authority (in your case, your CA server).
Avatar of romatlo

ASKER

Thanks esmith69!!

Yes, I am running CA role on W2K8 R2 and is also domain controller (and DHCP server).

Separate W2K8 R2 server with the following roles configured.
Remote Desktop services for virtual desktop
Remote Desktop Connection Manager

The first thing I did after the screenshot above, was go to http://server/certsrv and go through request, etc which seem to work, said install of cert was successful but I can not find it and still comes up empty like above.

I think I need to follow your steps by creating the cert first on CA, process it, etc.

Could you tell me how to do that?
Did you copy the request file to the CA and use it to generate a certificate file?  Once you do that and the certificate has been generated, you then just copy the certificate to the remote desktop server and use the connection manager utility to select the certificate file.
Avatar of romatlo

ASKER

Ok, I went through my IE browser to request a new certificate and ended up naming it and downloading a certnew.crt file.  Is this what I copy to the CA to generate a new cert or is this it?
Where do I copy it to and how what are the steps in the CA to generate a certificate file?

See attachments.  I've already tried clicking on Install button, but still does not provide a cert for me to choose on the connection manager screen.
cert1.JPG
cert2.JPG
Ok, you need to take the file certnew.crt and copy it to your remote desktop connection manager server.  Then load up the console for the remote desktop connection manager (same place as where you went to create the certificate request file at the beginning).  There should be an option in there to install a certificate, and you then will point to the certnew.crt file.

Avatar of romatlo

ASKER

I wish that worked, but it says none available and has to option to point it to file.  See attached cert3.jpg
I think it needs to be in the local computer trusted certificate store?

Could we forget the certnew.crt and start over?  I could start again from the RDS server submitting a new web request to my CA server.  See attached cert4.jpg

I appreciate the time, and likely drag into tomorrow :)  Thanks again.
cert3.JPG
cert4.JPG
What did you use to generate the CSR?  Was it within the RDS manager console?  If so, can you post a screenshot of that part of the process?
Avatar of romatlo

ASKER

My first original step after the 1st screenshot at the top of this thread on RDS server was to:
- Install CA role on domain controller IP 10.1.2.2
- From RDS server IP 10.1.2.3 I browse to http://10.1.2.2/certsrv and made a new request.  But maybe I did it wrong!

So could I just start again a new request from IE or whatever step you think needs to be done first?
I believe the request has to come from the program or site that the certificate is to be for.  At least, that's usually how it's done with Windows servers and IIS.  You would go into that program and tell it you want to obtain a certificate, and sometimes it will send the request to your CA automatically, other times you have to manually copy and paste the contents of the request into that web-based utility and then it will process it.

When you logged in to the web-based CA page, did it tell you had pending certificate requests?
Avatar of romatlo

ASKER

No message about pending requests.

Right, I am opening IE on my RDS server and browsing to my CA (installed on domain controller) at http://10.1.2.2/certsrv.
At the screen attached.  What next?

cert4.JPG
You would do "request a certificate", then it will have you copy and paste in the CSR from your 2008 server
Avatar of romatlo

ASKER

Ok, clicked on Request a Certificate, now click what? :)  User or advanced?
I know this seems tidious, but I really do not know how to work with certs.
See pic of where I am now...
cert5.JPG
advanced certificate request, then on the next page choose the second option ("Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.")

Then, copy and paste your CSR into the box where it says "saved request"
Avatar of romatlo

ASKER

Thank you so much for hanging in there.  I will continue this as soon as I can.  
Avatar of romatlo

ASKER

Sorry, I am on that screen now, but do not even know what a CSR is or what to paste in the Saved Request box.  Could you tell me what that is so that I may paste it?

From what I read it is a file and I need to paste the content of that file in this box, but I do not have that file.  Could you tell me how to generate that first?
If you go into IIS and configure the default virtual directory for using an SSL certificate, it will go through the process of generating a CSR, which you then open up with notepad and copy/paste the contents into the certsrv page on your CA.

Here is an article that may help as well.  Specifically near the bottom it talks about how the certificate list in the RDC manager program gets populated.

http://technet.microsoft.com/en-us/library/ee216791.aspx
Avatar of romatlo

ASKER

Thanks for the response.

I do not have the IIS role installed on this server.  This server has the RD Session Host Configuration and Remote Desktop Connection Manager installed (including Hyper-V).  I do have IIS installed on the domain controller (which is CA server) but SSL options are greyed out.  How else could I generate this file?

I do see the Note that says the list is populated from the Computer Certificate Store and Personal Certificate store.  That is what I am trying to do! :)  

I'll have to figure out how to award more points...
there is a way to generate a CSR from just powershell.  I need to look it up though.
OK, let's back up to using the certsrv web page.  Access that from your RDC server and go to "create and generate a certificate", then choose the option to "create and submit a request to this CA".  Then go down to the bottom and click the "submit" button and it will say the website wants to get a certificate on your behalf, just click yes/ok.
Avatar of romatlo

ASKER

Ok thanks, I did that.  Should I click Install this certificate?


cert7.JPG
sure
Avatar of romatlo

ASKER

Ok, it says "Your new certificate has been successfully installed".
What next? :)
Go back to the RDC manager program and see if it lets you choose the certificate
Avatar of romatlo

ASKER

Still says its empty :(  
ASKER CERTIFIED SOLUTION
Avatar of esmith69
esmith69
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of romatlo

ASKER

Ok thanks.  I am not sure what or why the instructions are asking me to go through those steps to select a signed cert for connection manager.

Although, I am installing in stages and do plan to implement Remote App access at some point.  I just have not got to that yet.

I will try a few other things and maybe move on in the install and see if works when I install the Remote App role or whatever.

I will close this thread and award your points.  Maybe we can pick it back up when I start a new thread :)

Thanks again!