Solved

Windows 2012 R2 RDS Certificates

Posted on 2014-09-03
8
452 Views
1 Endorsement
Last Modified: 2014-09-03
Hello

I am deploying a Windows 2012 R2 RDS farm, I have got the point where I need to install certificates, the servers are:

RDSBrok01 + Web
RDSBrok02
RDSH01
RDSH02
RDSH03

I am a little confused where I generate the certificate request from, do I just go into RDSBrok01 and generate from IIS?  I want to use a Wildcard cert from Digicert as well, the company I work for already has one of these and I can get a copy from their website.  The bit I am not sure about is when I generate the cert request does it matter what details I put in the Common Name for example and does it matter that I generated it from just the one server in the farm?

Thanks
1
Comment
Question by:vision_on
  • 4
  • 4
8 Comments
 
LVL 8

Accepted Solution

by:
Wilder_Admin earned 500 total points
ID: 40300396
On which computer you generate the request does not matter. What Remote Desktop cares about is that it's a Server Authentication certificate, the FQDN is either in the Subject Name, or SAN, and that the certificate is trusted.

RDS accepts wildcard certs but Lync2013 for example not.
0
 
LVL 1

Author Comment

by:vision_on
ID: 40300422
Hello Wilder Admin

Thanks for your reply, so because I intend to use a wildcard cert, that will be *.companyname.gov.uk, the Subject name and SAN both contain this, so I assume that this will be ok for Single Sign On, Publishing and Web Access.  At the moment there is no external access just internal clients.

Just so I am clear, when I go through the certificate request wizard, it asks for "Common Name", it does not matter what I put in here?  Or should I use the name  that I want clients to use to access the service, for example, "WebApps", so the URL they use would be https://webapps.companyname.gov.uk/rdweb  ?

Cheers
V.
0
 
LVL 8

Assisted Solution

by:Wilder_Admin
Wilder_Admin earned 500 total points
ID: 40300453
The Common Name is typically composed of Host + Domain Name and will look like "*.companyname.gov.uk" or "companyname.gov.uk". SSL Server Certificates are specific to the Common Name that they have been issued to at the Host level. The Common Name must be the same as the Web address you will be accessing when connecting to a secure site. For example, a SSL Server Certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", as "www.domain.com" and "secure.domain.com" are different from "domain.com". You would need to create a CSR for the correct Common Name. When the Certificate will be used on an Intranet (or internal network), the Common Name may be one word, and it can also be the name of the server.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 1

Author Comment

by:vision_on
ID: 40300473
I understand thanks.  So as I intend to get users to access the RDS website using https://rdsapps.companyname.gov.uk/rdweb, I should make the Common Name *.companyname.gov.uk and it should work.

I read somewhere that for the cert you need to select 4096 as the bit length, is that something you know about?
0
 
LVL 8

Assisted Solution

by:Wilder_Admin
Wilder_Admin earned 500 total points
ID: 40300484
The common Name is ok

the length inside of a lan can be shorter. This length is only suggested for outside communication.
0
 
LVL 1

Author Comment

by:vision_on
ID: 40300500
Ok final question!  If generate my Cert request through IIS, can I be sure that it is a Server Authentication certificate request?
0
 
LVL 8

Expert Comment

by:Wilder_Admin
ID: 40300513
Yes thats right!
0
 
LVL 1

Author Comment

by:vision_on
ID: 40300521
Thanks you have been very helpful.

V.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question