Solved

Windows 2012 R2 RDS Certificates

Posted on 2014-09-03
8
458 Views
1 Endorsement
Last Modified: 2014-09-03
Hello

I am deploying a Windows 2012 R2 RDS farm, I have got the point where I need to install certificates, the servers are:

RDSBrok01 + Web
RDSBrok02
RDSH01
RDSH02
RDSH03

I am a little confused where I generate the certificate request from, do I just go into RDSBrok01 and generate from IIS?  I want to use a Wildcard cert from Digicert as well, the company I work for already has one of these and I can get a copy from their website.  The bit I am not sure about is when I generate the cert request does it matter what details I put in the Common Name for example and does it matter that I generated it from just the one server in the farm?

Thanks
1
Comment
Question by:vision_on
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 8

Accepted Solution

by:
Wilder_Admin earned 500 total points
ID: 40300396
On which computer you generate the request does not matter. What Remote Desktop cares about is that it's a Server Authentication certificate, the FQDN is either in the Subject Name, or SAN, and that the certificate is trusted.

RDS accepts wildcard certs but Lync2013 for example not.
0
 
LVL 1

Author Comment

by:vision_on
ID: 40300422
Hello Wilder Admin

Thanks for your reply, so because I intend to use a wildcard cert, that will be *.companyname.gov.uk, the Subject name and SAN both contain this, so I assume that this will be ok for Single Sign On, Publishing and Web Access.  At the moment there is no external access just internal clients.

Just so I am clear, when I go through the certificate request wizard, it asks for "Common Name", it does not matter what I put in here?  Or should I use the name  that I want clients to use to access the service, for example, "WebApps", so the URL they use would be https://webapps.companyname.gov.uk/rdweb  ?

Cheers
V.
0
 
LVL 8

Assisted Solution

by:Wilder_Admin
Wilder_Admin earned 500 total points
ID: 40300453
The Common Name is typically composed of Host + Domain Name and will look like "*.companyname.gov.uk" or "companyname.gov.uk". SSL Server Certificates are specific to the Common Name that they have been issued to at the Host level. The Common Name must be the same as the Web address you will be accessing when connecting to a secure site. For example, a SSL Server Certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", as "www.domain.com" and "secure.domain.com" are different from "domain.com". You would need to create a CSR for the correct Common Name. When the Certificate will be used on an Intranet (or internal network), the Common Name may be one word, and it can also be the name of the server.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:vision_on
ID: 40300473
I understand thanks.  So as I intend to get users to access the RDS website using https://rdsapps.companyname.gov.uk/rdweb, I should make the Common Name *.companyname.gov.uk and it should work.

I read somewhere that for the cert you need to select 4096 as the bit length, is that something you know about?
0
 
LVL 8

Assisted Solution

by:Wilder_Admin
Wilder_Admin earned 500 total points
ID: 40300484
The common Name is ok

the length inside of a lan can be shorter. This length is only suggested for outside communication.
0
 
LVL 1

Author Comment

by:vision_on
ID: 40300500
Ok final question!  If generate my Cert request through IIS, can I be sure that it is a Server Authentication certificate request?
0
 
LVL 8

Expert Comment

by:Wilder_Admin
ID: 40300513
Yes thats right!
0
 
LVL 1

Author Comment

by:vision_on
ID: 40300521
Thanks you have been very helpful.

V.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question