Using a public certificate Microsoft Remote Desktop Service farm (Terminal)

I have a Windows 2012 R2 farm with two session hosts servers, a server that is both gateway web host for the portal.  The internal and external domain names are the same (before my time so I'm stuck with it) Internal hosts use a Microsoft DNS server for name resolution and the rest of the world uses the Internet DNS.  The session hosts are resolvable from inside by their hostnames but not so from the outside.  The farm works fine as is with one exception.  When users launch an app they get the certificate mismatch error because the host name a) doesn't match the farm's DNS name and b) the cert is self-signed so it doesn't chain back to a trusted authority.

I bought a SAN cert form DigiCert to fix the issue but when I try apply it to the RD Connection Broker - Publishing service in the deployment I get the following error:

"The specified certificate is not valid. The certificate properties must match the requirements of the role service."

The PFX was created by highlighting the DigiCert Global root and the farm cert I purchased from them and exporting to PFX format with a key. The cert I got from digicert has the following :
•Ensures the identity of a remote computer
•Proves your identity to a remote computer

The Subject Alternative names are the FQDNs of the servers in the farm as well as the externally and internally DNS registered name of the farm host itself.

Enhanced Key Usage shows:

Server Authentication (
 Client Authentication (
Can anyone tell me why this isn't working and what I need to do to get it to work?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Farms are essentially gone in 2012. If you configured round-robin DNS, you *will* have issues. The certificate must have a SAN name that matches the connection broker name. Also, for the publishing service, the certificate must support the code signing usage, which is not one of the usages listed in your question.
freymishAuthor Commented:
I'll try rekeying with the code signing option and see how that goes.  I'll post back either way. Nothing bugs me more than people who float a question, say they figured it out and don't say how!  Argh!!  <shakes fist at sky>

freymishAuthor Commented:
I had to re-key with the following options. I found this on a thread somewhere that I have now lost.. :)

The extensions need to contain:
     Data encipherment
     Key encipherment

Extended Key Usage:
     Server Authentication
     Client Authentication

Those settings were the magic bullet.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
freymishAuthor Commented:
I found the answer after a good bit of hunting around
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.