Solved

Windows 2012 R2 RDS Certificates

Posted on 2014-09-03
8
455 Views
1 Endorsement
Last Modified: 2014-09-03
Hello

I am deploying a Windows 2012 R2 RDS farm, I have got the point where I need to install certificates, the servers are:

RDSBrok01 + Web
RDSBrok02
RDSH01
RDSH02
RDSH03

I am a little confused where I generate the certificate request from, do I just go into RDSBrok01 and generate from IIS?  I want to use a Wildcard cert from Digicert as well, the company I work for already has one of these and I can get a copy from their website.  The bit I am not sure about is when I generate the cert request does it matter what details I put in the Common Name for example and does it matter that I generated it from just the one server in the farm?

Thanks
1
Comment
Question by:vision_on
  • 4
  • 4
8 Comments
 
LVL 8

Accepted Solution

by:
Wilder_Admin earned 500 total points
ID: 40300396
On which computer you generate the request does not matter. What Remote Desktop cares about is that it's a Server Authentication certificate, the FQDN is either in the Subject Name, or SAN, and that the certificate is trusted.

RDS accepts wildcard certs but Lync2013 for example not.
0
 
LVL 1

Author Comment

by:vision_on
ID: 40300422
Hello Wilder Admin

Thanks for your reply, so because I intend to use a wildcard cert, that will be *.companyname.gov.uk, the Subject name and SAN both contain this, so I assume that this will be ok for Single Sign On, Publishing and Web Access.  At the moment there is no external access just internal clients.

Just so I am clear, when I go through the certificate request wizard, it asks for "Common Name", it does not matter what I put in here?  Or should I use the name  that I want clients to use to access the service, for example, "WebApps", so the URL they use would be https://webapps.companyname.gov.uk/rdweb  ?

Cheers
V.
0
 
LVL 8

Assisted Solution

by:Wilder_Admin
Wilder_Admin earned 500 total points
ID: 40300453
The Common Name is typically composed of Host + Domain Name and will look like "*.companyname.gov.uk" or "companyname.gov.uk". SSL Server Certificates are specific to the Common Name that they have been issued to at the Host level. The Common Name must be the same as the Web address you will be accessing when connecting to a secure site. For example, a SSL Server Certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", as "www.domain.com" and "secure.domain.com" are different from "domain.com". You would need to create a CSR for the correct Common Name. When the Certificate will be used on an Intranet (or internal network), the Common Name may be one word, and it can also be the name of the server.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 1

Author Comment

by:vision_on
ID: 40300473
I understand thanks.  So as I intend to get users to access the RDS website using https://rdsapps.companyname.gov.uk/rdweb, I should make the Common Name *.companyname.gov.uk and it should work.

I read somewhere that for the cert you need to select 4096 as the bit length, is that something you know about?
0
 
LVL 8

Assisted Solution

by:Wilder_Admin
Wilder_Admin earned 500 total points
ID: 40300484
The common Name is ok

the length inside of a lan can be shorter. This length is only suggested for outside communication.
0
 
LVL 1

Author Comment

by:vision_on
ID: 40300500
Ok final question!  If generate my Cert request through IIS, can I be sure that it is a Server Authentication certificate request?
0
 
LVL 8

Expert Comment

by:Wilder_Admin
ID: 40300513
Yes thats right!
0
 
LVL 1

Author Comment

by:vision_on
ID: 40300521
Thanks you have been very helpful.

V.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question