Windows 2008 R2 Certificate Authority - Generate new certificate

if possible, I suggest the 2K8 as Enterprise CA and have the RDS to join the same domain as the CA. This article (http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html) can be handy as it uses the  Windows Server 2008 R2 CA, and targets Windows Server 2012 server. It depicts (though in brief but with screenshots) in
- first creating a new CA certificate template having an extended key usage to limit its use to only RD TLS sessions.
- second, configuring a GPO setting to automatically configure servers to request a certificate via this template, and eventually use that certificate for RDP TLS.
- finally, refreshing the GPO on the target server, and test out the connection via a stand-alone computer to verify to sees the certificate deployed as planned.

Likewise for more details, you can check out the suggested links for the setup of RDS and CA as req (https://technet.microsoft.com/en-us/library/cc725949.aspx) to get the server certificate since it is internal only.

If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates that meet RD Gateway requirements, you can generate and submit a certificate request in several ways, depending on the policies and configuration of your organization's CA. Methods for obtaining a certificate include:

Initiating auto-enrollment from the Certificates snap-in.

Requesting certificates by using the Certificate Request Wizard.

Requesting a certificate over the Web.

Also do note RDS use case and req

Certificates in Remote Desktop Services need to meet the following requirements:
The certificate is installed in the local computer’s “Personal” certificate store.

The certificate has a corresponding private key.

The Enhanced Key Usage extension has a value of either “Server Authentication” or “Remote Desktop Authentication” (1.3.6.1.4.1.311.54.1.2). You can also use certificates with no Enhanced Key Usage extension.

The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to. For example, for Publishing, the certificate needs to contain the names of all the RDSH servers in the collection. The certificate for RDWeb needs to contain the FQDN or the URL, based on the name the users connect to. If you have users connecting externally, this needs to be an external name (it needs to match what they connect to). If you have users connecting internally to RDWeb, the name needs to match the internal name. For Single Sign On, the subject name needs to match the servers in the collection.

https://technet.microsoft.com/en-us/library/dn781533.aspx

Very good links, I will read through these.  Thank you.  Another question is for the RDS setup I need to generate certificates for the RD Web Access, and the RD Connection Broker.  Do I generate (or create) a new certificate right from 'configuring the deployment' for each role?
Thank you again for your assistance.  I'm new to certificates and understanding them.

We are a small company, and I have 2 RDS servers set up, with all roles except the RD Gateway.  We had originally planned on setting up an HA environment, but business requirements have since changed.  With this in mind, I should be able to use the single certificate for all the roles, since all clients are internal to the domain and we are just using the one RDS server, correct?
Thank you,

yes - Wildcard cert then with .LOCAL can be an option

Selecting which certificate to use>
Now that you have created your certificates and understand their contents, you need to configure Remote Desktop to use those certificates.

On the Connection Broker, open the Server Manager. Click Remote Desktop Services in the left navigation pane.

Click Tasks > Edit Deployment Properties.

In the Configure the deployment window, click Certificates.

Click Select existing certificates, and then browse to the location where you saved the certificate you created previously. Look for the file with the .pfx extension.

Import the certificate.

You can use a single certificate for all the roles if your clients are internal to the domain only, by generating a wildcard certificate (*.CONTOSO.local) and binding it to all roles.

Note that, even if you have multiple servers in the deployment, Server Manager will import the certificate to all servers, place the certificate in the trusted root for each server, and then bind the certificate to the respective roles.

My next question is this:  (keeping in mind I'm not a certificate expert).  We have an Enterprise CA server - Windows 2008 R2 Standard, how do I generate the .pfx certificate?

If you request the cert from the server as shared in the URL and I preached you look through first the key will already be installed in the servers. Otherwise, as you req for the cert, you can click to make the key exportable and you can then get your pfx (or private keys) per se... for info - http://thewindowsadmin.com/?p=106

I'm still struggling with creating the certificate to import onto the Windows 2012 the RDS roles.  On our 2008 R2 Standard Server w/CA set up,  I created the Certificate Template; named it RDS-Cert with Intended Purposes of Server Authentication as indicated in the links you provided.  but I can't seem to get past the point of what do I need to do next?  I believe I'm making this harder than it is.  This is the first time working with a CA server and I apologize for my misunderstanding.
Thank you,

I can review your notes this afternoon...thank you so much!!

From our Enterprise CA server I followed steps 1 through 8, and added to the RD Farm servers.  
  Step 7:  Exported key from CA server:  Certificate Enrollment Requests>Certificates
          Exported locally on CA server, and copied over to the RDS server
  Step 8:  Imported cert (that I had copied over from the CA server) into the RDS console, making sure to check 'Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers.
Received message that it was a 'success'.  However, displays as 'untrusted' in the Manage Certificates console and web site still is 'untrusted'.
When viewing the certificates on the RDS server, I see the 'Issued by' and Issued to' columns display the same name (the RDS server name).  Shouldn't the Issued by show our CA server name since that is where it should have actually generated from?  Perhaps the signing is not correct and that's why it still shows as untrusted?
Did I miss a step along the way....
Thank you again for your patience!

Thank you, we have decided to go the wildcard cert after all.  In the process of getting that set now through GoDaddy.

Sure may be more straightforward for a start too. Just a note besides those discussed, GD will give you a CRT or KEY instead of PFX (private key) which you need some conversion e.g. https://www.sslshopper.com/ssl-converter.html
Then can be importable via the Deployment Properties section. For other in trusted store etc, you can go via MMC

I have 2 .crt files I downloaded in a zip file from GoDaddy (downloaded as 'other'). I don't see the 'private key' file associated to either of these files.  I have downloaded openssl for Win7 x64 bit, and placed under the C:\ drive.
I'm assuming I'll need to generate the private key file?
Thanks again.

You do not have any private key from the CRT files, pse see the link on
http://stackoverflow.com/questions/14651599/certificate-issue-key-or-pfx-from-p7b-and-crt

I believe I have it all set now.  Generated CSR, uploaded to our CA and generated a .key file from the private key portion of the CSR.  Used openssl from a Linux box to combine the .crt and .key file into a pfx file.  Added the .pfx certificate into the Certificates for RDS, and installed the Intermediate cert for IIS.  Reset IIS, page finally comes up with no cert errors with using either I.E., Firefox or Chrome.  We even went a step further and created a DNS Cname entry so our users can type in just a name:  i.e.....RemoteApp and get redirected to the correct site.
Thank you for your patience and persistence!  I certainly appreciate your assistance!!

Good to hear it all work out w/o 3rd party CA :)
I believe you used below for the "combine the .crt and .key file into a pfx file"
>> "openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt"
Also just for info there is Windos openssl @ http://slproweb.com/products/Win32OpenSSL.html

Glad to have help!

Yes, used the command you have indicated above.
Thank you again for your assistance, you have been most helpful!

Appreciate it thanks!