Server 2003 Remote Desktop SSL Setup

I have purchased a single domain standard SSL from GoDaddy. I used IIS6 on server 2003 to generate a CSR from the default website. I have downloaded my certificates, but they aren't available in the certificate import list of the RDC-TCP connector in Terminal Services Configuration. My question is how do I import it correctly so that the certificate is available in the list to use?

What am I doing wrong? I tried using the attached document, but it seems to only apply to Server 2008.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Paris VicenteSystems and Comunications  Administrator Commented:

Can you see if this can apply to you -> Configuring Remote Desktop certificates

If not let us know.

chipsnetworkAuthor Commented:
Most of these steps have gone fine, until I reach the "Publishing the “RemoteDesktopComputer” certificate template:" section.

Step 3 says "The “Enable Certificate Templates” dialog box appears. Select “RemoteDesktopComputer”, and then click “OK.”"

My created RemoteDesktopComputer template is not in the list of available templates.

It is available in the MMC snap-in under Certificate Templates, where the instructions say to create it, but not listed under the Certificate Authority MMC snap-in, that Step 1 instructs to look for it.
David Paris VicenteSystems and Comunications  Administrator Commented:
Hi  chipsnetwork.

Sorry I lead you in to error. Apologies. I thought that you want to implement the certificate by GPO.

Go daddy sent you the info for other version of IIS.

DO you already have the certificates from godaddy?

If yes, You can check here how to install the Intermediate SSL Certificate and the Primary Certificate ->Installing an SSL Certificate in Microsoft IIS 5 & 6
And follow the screen by sreen.
On the step 11 of "To Install the Primary SSL Certificate" choose port 443, is teh default port for encryption connections.

If not do this since you already have the CSR file -> Generating a Certificate Signing Request (CSR) - IIS 5 and 6
And follow the screen by sreen.

And please disregard my previous post.

Sorry for my mistake.

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

chipsnetworkAuthor Commented:
Thank-you, but how does installing an SSL into IIS secure the RDP connections to my terminal server? These instructions seem to only apply to securing a web site.
David Paris VicenteSystems and Comunications  Administrator Commented:
I thought the connection is going to be by browser, because godaddy sent you the config for installing on the IIS.

So you have a terminal Licensing server installed on your network and want to config the RDP-TCP connections, go to your terminal server choose properties, General tab and follow for the step 2 since you already have the certificates and want to use the RDP connections. How to configure a Windows Server 2003 terminal server to use TLS for server authentication

Let me know

chipsnetworkAuthor Commented:
These steps look a lot closer to the right answer, but I've not yet been able to create a certificate signing request for server authentication to submit to GoDaddy from the CA because the only option available to me during the CSR process is computer certificate. Server Authentication is simply not available as an option.

Using this article -

Step 6 under "Submit a computer certificate request by using the Certificate Request Wizard" states that I should choose "Server Authentication" under certificate type, but "Computer" is my only available certificate type to choose from.

I simply cannot create the appropriate certificate request type that is required to implement into the RDP-TCP connector in order to enable TLS 1.0.

I keep hitting brick walls and missing setting options with all of these articles.
David Paris VicenteSystems and Comunications  Administrator Commented:
Hi  chipsnetwork.

Ok if i understand you want to create the CSR for godaddy, right?
So first  you need to follow this to generate the request and send to godaddy, and this has to be done on the IIS server. Generate CSR for Godaddy You can read the steps or follow the green button where it says Screen By Screen

After this a file is created, you have to open that file and copy all the info, to send to godaddy.
On godaddy´s website, there should be a option to choose what kind of certification do you want in your case is for Server Authentication, but is better to talk with godaddy on this process and expose what you realy want.

After they send you the certificate proceed to the step 2 on this site: Install certificate on your terminal server.

If you have more questions posted here.

chipsnetworkAuthor Commented:
Thanks. Just got off of the phone with GoDaddy. They looked at my SSL and assured me that I have the correct certificate. It just simply isn't available in the selection window of the certificate edit section of the RDP-TCP connector general tab.
David Paris VicenteSystems and Comunications  Administrator Commented:

So you have to install it for that follow the second link and look for step 2.

chipsnetworkAuthor Commented:
I followed step 2 very closely. I'm telling you that the certificate is downloaded from GoDaddy to my server. I have imported it as a Server Authentication certificate in the Certificates MMC console snap-in, but it is not in the list of certificates available to choose in the RDP-TCP connection properties when I click the edit button beside certificates in the general tab. GoDaddy tells me they don't know how to tell me to make this work. When I create a self signed certificate, everything works according to the instructions you provided. Unfortunately,  a self signed certificate isn't adequate for compliant TLS.
chipsnetworkAuthor Commented:
Your second link is the same as the first link.
David Paris VicenteSystems and Comunications  Administrator Commented:
You are right I pointed to the same link.

Probably because you are instaling the certificate on the user account and not in the computer account.

Lets do this on the computer that you want to install the certificate:
1.Click Start, click Run, type mmc, and then click OK.
2.On the File menu, click Add/Remove Snap-in.
3.Click Add, click Certificates, and then click Add.
4.Click Computer account, and then click Next.
5.Click Finish.
6.In the Add Standalone Snap-in dialog box, click Close, and then click OK in the Add/Remove Snap-in dialog box.
7.Under Console Root, click Certificates (Local Computer).
8.Choose Personal->Certificates ->See if there are any certificates with the same name of the certificate that you receive from godaddy. If not follow to 9.
9.Right click on certificates -> All tasks -> Import
10. A new window will appear do next
11.Browse to the location where is the downloaded Certificate (probably this certificate has the name of the machine)
12. Place the certificate in the folowing store. -> Personal -> Next
13. Finish -> Dont close the snap in.

The certificate will be installed for that computer

You also have to confirm if the intermediate certificate is installed for godaddy.
For that choose in the snap in Intemediate Certification Auhtorities -> Certificates
Check if the company who create the certificate is there, in your case is godaddy. If not do the following steps.

In  the same snap in choose:
1.Right-click the Intermediate Certification Authorities folder, mouse-over All Tasks, and then click Import. The Certificate Import Wizard displays.
2.Click Next.
3.Click Browse to find the certificate file.
4.In the Open window, select *.p7b for the Files of type.
5.Select the appropriate intermediate certificate file, and then click Open.
6.In the Certificate Import Wizard window, click Next.
7.Select Place all certificates in the following store, and then click Browse.
8.In the Select Certificate Store window, select Intermediate Certification Authorities, and then click OK.
9.In the Certificate Import Wizard, click Next.
10.Click Finish, and then click OK.

After this please check the terminal server and see if the certificate appears when you choose the edit option.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chipsnetworkAuthor Commented:
I ended up finding out why the certificate was not available in the edit menu. Since the original CSR was requested through my server's IIS6 default website, I had to use that same process for installing the certificate. If I simply imported the certificate into the personal, and intermediate locations described above, the private key was missing from the certificate. I am going to flag your answer as the accepted solution simply because your instructions were very helpful in getting me to the right solution.
David Paris VicenteSystems and Comunications  Administrator Commented:
Glad to ear that.

Best wishes

chipsnetworkAuthor Commented:
I was lead in the right direction, but not quite to the final answer by the suggestions. I am also marking my answer as the solution because I in fact found the solution on my own in the end.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.