Auto-created self-signed SSL for Remote Desktop Gateway?

I have a RD Gateway that has been secured using a GoDaddy SSL Cert.  The cert expired recently so I thought I'd try a self-signed cert instead of renewing the GoDaddy Cert through the reseller we're no longer doing business with.  When the self-signed cert kept giving errors on the client side, I opted to revoke the GoDaddy and purchase a new one to secure the RD Gateway.  I have the cert installed, I see it in the RD Gateway Manager as the active cert and in the Certificates under Remote Desktop (also imported as Trusted Root Cert Auth).  When I attempt to connect via Remote Desktop Connection, I receive an error that the name doesn't match the subject of the cert.  When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject.  If I delete that cert, it is automatically created when I attempt to connect via RDC.

Has anyone seen this?  My Google-fu is failing me...
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VB ITSSpecialist ConsultantCommented:
Did you restart the Remote Desktop Gateway service after applying the new SSL certificate? Do you perhaps have a firewall (TMG, ISA, etc) where you need to publish the new certificate to?
rpmahonyAuthor Commented:
I've restarted the RD Gateway Service a couple times, once via the wizard and once manually.  I've also restarted the server since applying the cert.  Only firewall is our Cisco ASA so my internal test should negate that issue if it were an issue.  FWIW, I don't remember having to install the original cert anywhere but the RD Gateway server (which is the sole RD target btw).  It's just strange that the self-issued cert appears even after I delete it, leaving only the GoDaddy in the Certificates - Remote Desktop container.  After the server restart, I see the new GoDaddy cert info when I look at the RD Gateway server properties.  Crazy stuff...
VB ITSSpecialist ConsultantCommented:
I've seen strange things happen with SSL certs and RD Gateway. It's generally best to delete certificates from the Computer store that have conflicting friendly names - did you try this? Export the certificate (including the private key) to the Desktop or wherever you want as a backup, then delete them from the store. Let me know how this goes.

EDIT: probably best you export and delete all the certs that you don't need, leaving just the new cert in the certificate store.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

rpmahonyAuthor Commented:
Yep.  I've deleted the 'computername.domain.local' cert from every place I could find in the Certificates mmc plug-in and it still pops up in the RD container.  As soon as I attempt to connect via RDC, it reappears in the RD container.  I'll try once more during lunch - remove the cert, restart the gateway service and try again.  I think I tried this on Friday but can't be certain.
rpmahonyAuthor Commented:
No dice.  Removed self-signed cert, restarted gateway services, attempted to login and it reappeared.  Removed self-signed cert, restarted SERVER, attempted to login and it reappeared again.  I'm stumped.
VB ITSSpecialist ConsultantCommented:
Did you re-assign the trusted third-party SSL certificate when you removed the self-signed certificate? Just had a re-read of your original question, can you clarify what you mean when you say 'Certificates under Remote Desktop'?
When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject.
Is this in the RDS Host Configuration console, RD Gateway Manager, or somewhere else?
rpmahonyAuthor Commented:
After I deleted the self-signed cert, I verified that the attached is still showing up in the RD Gateway Manager.  "Certificates under Remote Desktop" = Opened MMC, added the Certificates add-in and viewed my local computer certificates.  Under the Remote Desktop - Certificates 'folder' there are two certs listed: one issued by and issued to server.internal.local and one issued by GoDaddy and issued to

I delete the server.internal.local cert from that container, re-import the GoDaddy cert using the RD Gateway Manager and restart the services (either from the confirmation message or manually) and attempt to login again.  RDC gives me a "can't verify computer" message because the name doesn't match the cert.  When I look at RD Gateway Manager, it still shows the correct cert from GoDaddy but the Certificates add-in shows the newly-created self-signed cert once again.

VB ITSSpecialist ConsultantCommented:
Can you please post a screenshot of the certificate error you're getting? I just need to verify whether the certificate name mismatch error you are seeing is for the RD Gateway or for the actual machine you're trying to RDP into.
rpmahonyAuthor Commented:
Here you go.  In the Windows error, I masked the computer name, but it's showing the internal dns name.  I'm using the public dns name, which is on the GoDaddy SSL.  When I click to view the cert, it's showing the self signed cert.
VB ITSSpecialist ConsultantCommented:
OK I think I understand what the issue now. It sounds like your RD Gateway Certificate is actually working perfectly fine with the new certificate.

These certificate mismatch errors are coming from the machine that you are trying to connect to. Before we do anything else, can you please confirm if you're using the RD Gateway to connect to just one machine inside your network or do you intend to use it to allow multiple users to log into multiple machines?
rpmahonyAuthor Commented:
Currently, and for the foreseeable future, we have one dedicated terminal server.  That same server is performing the RD Gateway role as well.  I originally secured the machine using a GoDaddy cert when I built the server, so the setup was working until I attempted to replace the expired GoDaddy cert with a self-signed.  It just seems like the self-signed cert is "stuck".
VB ITSSpecialist ConsultantCommented:
Sorry rpmahony, forgot to follow up on this one. The certificate mismatch warnings you are seeing is actually unrelated to the RD Gateway service.

The warning that you're seeing is to do with the certificate used to sign remote desktop connections. The auto-generated certificate is actually set in the following area:
Go to Administrative Tools > Remote Desktop Services > Remote Desktop Services Host Configuration > right click on RDP-TcpProperties
You can try and import the third party certificate you used for your RD Gateway to the local Computer store on the Terminal Server, then assign it using the Select button from my screenshot. I'm just not sure how well this will work when you are logging in via the RD Gateway.

You can actually safely ignore the message as well, you'll still be able to connect to the Terminal Server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rpmahonyAuthor Commented:
Bingo!  I wonder why I couldn't find this in any of my googling and searching of MS TIDs and Articles…

Thanks for the assist.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.