Windows 2008 R2 Certificate Authority - Generate new certificate

I'm new with working with generating certificates from a local CA server.  We are running a Windows 2008 R2 Standard server, roles are this server include:  Domain Controller, DHCP, DNS and Certificate Authority.  I have another server:  Windows 2012 Remote Desktop Services which we will be using to publish remote apps for some software in the environment, which I need to create a server authentication certificate.   This will be internal facing only.  I would like to use the CA server to generate a certificate as part of the requirements for RDS.  I've not done this in the past and would request assistance or guidance in doing so.
Thank you,
trinity2007Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
if possible, I suggest the 2K8 as Enterprise CA and have the RDS to join the same domain as the CA. This article (http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html) can be handy as it uses the  Windows Server 2008 R2 CA, and targets Windows Server 2012 server. It depicts (though in brief but with screenshots) in
- first creating a new CA certificate template having an extended key usage to limit its use to only RD TLS sessions.
- second, configuring a GPO setting to automatically configure servers to request a certificate via this template, and eventually use that certificate for RDP TLS.
- finally, refreshing the GPO on the target server, and test out the connection via a stand-alone computer to verify to sees the certificate deployed as planned.

Likewise for more details, you can check out the suggested links for the setup of RDS and CA as req (https://technet.microsoft.com/en-us/library/cc725949.aspx) to get the server certificate since it is internal only.
If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates that meet RD Gateway requirements, you can generate and submit a certificate request in several ways, depending on the policies and configuration of your organization's CA. Methods for obtaining a certificate include:

Initiating auto-enrollment from the Certificates snap-in.

Requesting certificates by using the Certificate Request Wizard.

Requesting a certificate over the Web.
Also do note RDS use case and req
Certificates in Remote Desktop Services need to meet the following requirements:
The certificate is installed in the local computer’s “Personal” certificate store.

The certificate has a corresponding private key.

The Enhanced Key Usage extension has a value of either “Server Authentication” or “Remote Desktop Authentication” (1.3.6.1.4.1.311.54.1.2). You can also use certificates with no Enhanced Key Usage extension.
The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to. For example, for Publishing, the certificate needs to contain the names of all the RDSH servers in the collection. The certificate for RDWeb needs to contain the FQDN or the URL, based on the name the users connect to. If you have users connecting externally, this needs to be an external name (it needs to match what they connect to). If you have users connecting internally to RDWeb, the name needs to match the internal name. For Single Sign On, the subject name needs to match the servers in the collection.
https://technet.microsoft.com/en-us/library/dn781533.aspx
trinity2007Author Commented:
Very good links, I will read through these.  Thank you.  Another question is for the RDS setup I need to generate certificates for the RD Web Access, and the RD Connection Broker.  Do I generate (or create) a new certificate right from 'configuring the deployment' for each role?
Thank you again for your assistance.  I'm new to certificates and understanding them.
btanExec ConsultantCommented:
Yes and No. (ref the link in previous post)

Yes - Strictly speaking as RD Web and RD Broker has different name ie. subject name in the certificate installed in each server. Typically (for sake of example), it can be of various unique hostname > (server's functional role) as below and each has its unique certificate (hence SSL key).
RDSH.CONTOSO.COM > Session Host with RemoteApp configured
RDSH2.CONTOSO.COM > Session Host with RemoteApp configured
RDVH1.CONTOSO.COM > Virtualization host with VDI VMs configured
RDVH2.CONTOSO.COM > Virtualization host with VDI VMs configured
RDCB.CONTOSO.COM > Connection Broker
RDWEB.CONTOSO.COM > RDWeb and Gateway server
No - The host can all be installed with single certificate if it is Wildcard certificate or a SAN certificate
Type: Server Authentication
Name: RDWEB.CONTOSO.COM
SAN: RDSH1.CONTOSO.COM; RDSH2.CONTOSO.COM; RDVH1.CONTOSO.COM; RDVH2.CONTOSO.COM; RDCB.CONTOSO.COM
This certificate approach works as long as you have five or fewer servers in your deployment. If you have more servers, you can’t use the Subject Alternate Name field (it is limited to just five servers). Instead, you need to get a wildcard certificate to cover all the servers in the deployment.
We do not mixed within an single certificate with .EXT DOMAIN with .LOCAL using SAN, and note the caveat
you can get a certificate from a public CA with the external name (RDWEB.CONTOSO.COM) and bind it to the RD Web Access and RD Gateway roles. (These are the only roles that are exposed to the Internet.) For the RD Connection Broker – Publishing and RD Connection Broker – Enable Single Sign On roles, you can use an internal certificate with the DOMAIN.local name on it. However, be aware that this only works if your clients are connecting through RDC 8.0 or later.
Also you can use a single certificate for all the roles if your clients are internal to the domain only, by generating a wildcard certificate (*.CONTOSO.local) and binding it to all roles.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

trinity2007Author Commented:
We are a small company, and I have 2 RDS servers set up, with all roles except the RD Gateway.  We had originally planned on setting up an HA environment, but business requirements have since changed.  With this in mind, I should be able to use the single certificate for all the roles, since all clients are internal to the domain and we are just using the one RDS server, correct?
Thank you,
btanExec ConsultantCommented:
yes - Wildcard cert then with .LOCAL can be an option
Selecting which certificate to use>
Now that you have created your certificates and understand their contents, you need to configure Remote Desktop to use those certificates.

On the Connection Broker, open the Server Manager. Click Remote Desktop Services in the left navigation pane.

Click Tasks > Edit Deployment Properties.

In the Configure the deployment window, click Certificates.

Click Select existing certificates, and then browse to the location where you saved the certificate you created previously. Look for the file with the .pfx extension.

Import the certificate.

You can use a single certificate for all the roles if your clients are internal to the domain only, by generating a wildcard certificate (*.CONTOSO.local) and binding it to all roles.

Note that, even if you have multiple servers in the deployment, Server Manager will import the certificate to all servers, place the certificate in the trusted root for each server, and then bind the certificate to the respective roles.
trinity2007Author Commented:
My next question is this:  (keeping in mind I'm not a certificate expert).  We have an Enterprise CA server - Windows 2008 R2 Standard, how do I generate the .pfx certificate?
btanExec ConsultantCommented:
If you request the cert from the server as shared in the URL and I preached you look through first the key will already be installed in the servers. Otherwise, as you req for the cert, you can click to make the key exportable and you can then get your pfx (or private keys) per se... for info - http://thewindowsadmin.com/?p=106
trinity2007Author Commented:
I'm still struggling with creating the certificate to import onto the Windows 2012 the RDS roles.  On our 2008 R2 Standard Server w/CA set up,  I created the Certificate Template; named it RDS-Cert with Intended Purposes of Server Authentication as indicated in the links you provided.  but I can't seem to get past the point of what do I need to do next?  I believe I'm making this harder than it is.  This is the first time working with a CA server and I apologize for my misunderstanding.
Thank you,
btanExec ConsultantCommented:
After getting the template, see if you can start enrolling for the cert using those templ - example below is for broker for a start, make sure the broker and internal CA server are accessible
https://sccmfaq.wordpress.com/2014/04/28/how-to-deploy-remote-desktop-services-2012-r2-certificates-unsing-internal-ca/

The flow after templ creation should not differs much as discussed
1. Create a certificate template from by duplicating the Computer template
2. Edit the new certificate and these two important mods
 2a. Allow export private key
 2b. On the Subject Name tab select "Supply in the request" radio button
3. Publish the new template
4. Create a new request and select the new template
5. Add Common Name and DNS for the RDWeb. (I added all RD Farm servers)

Example:
CN=rdweb.domain.local

CN=rdcb.domain.local
CN=rdsh1.domain.local
CN=rdsh2.domain.local
CN=rdsh3.domain.local
rdweb.domain.local
rdcb.domain.local
rdsh1.domain.local
rdsh2.domain.local
rdsh3.domain.local

6. Add rdweb.domain.local to friendly name and then generate the certificate
7. Export the cert with private
8. Import into RD deployment console.
http://serverfault.com/questions/476963/how-can-i-work-around-problems-with-certificate-configuration-in-remote-desktop
trinity2007Author Commented:
I can review your notes this afternoon...thank you so much!!
trinity2007Author Commented:
From our Enterprise CA server I followed steps 1 through 8, and added to the RD Farm servers.  
  Step 7:  Exported key from CA server:  Certificate Enrollment Requests>Certificates
          Exported locally on CA server, and copied over to the RDS server
  Step 8:  Imported cert (that I had copied over from the CA server) into the RDS console, making sure to check 'Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers.
Received message that it was a 'success'.  However, displays as 'untrusted' in the Manage Certificates console and web site still is 'untrusted'.
When viewing the certificates on the RDS server, I see the 'Issued by' and Issued to' columns display the same name (the RDS server name).  Shouldn't the Issued by show our CA server name since that is where it should have actually generated from?  Perhaps the signing is not correct and that's why it still shows as untrusted?
Did I miss a step along the way....
Thank you again for your patience!
btanExec ConsultantCommented:
that is self signed cert if the 'Issued by' and Issued to' are same. It should not be if the certificate is issued by the CA based on the template created at the CA side. It may be the case that there are multiple certificate in the server.

The exported certificate must be placed within the local computers Certificates MMC in the "Personal" certificate store. And it is configured to be used instead. Ref back - http://serverfault.com/questions/476963/how-can-i-work-around-problems-with-certificate-configuration-in-remote-desktop, do take a look at the first answer (with 2 votes) stated - anything amiss... the digital signature settings need to select the correct cert

there is other which suggested a wmi script (near end of article) to conifigure the correct cert thumbprint to be used by the RDS server
http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
trinity2007Author Commented:
Thank you, we have decided to go the wildcard cert after all.  In the process of getting that set now through GoDaddy.
btanExec ConsultantCommented:
Sure may be more straightforward for a start too. Just a note besides those discussed, GD will give you a CRT or KEY instead of PFX (private key) which you need some conversion e.g. https://www.sslshopper.com/ssl-converter.html
Then can be importable via the Deployment Properties section. For other in trusted store etc, you can go via MMC
trinity2007Author Commented:
I have 2 .crt files I downloaded in a zip file from GoDaddy (downloaded as 'other'). I don't see the 'private key' file associated to either of these files.  I have downloaded openssl for Win7 x64 bit, and placed under the C:\ drive.
I'm assuming I'll need to generate the private key file?
Thanks again.
btanExec ConsultantCommented:
You do not have any private key from the CRT files, pse see the link on
http://stackoverflow.com/questions/14651599/certificate-issue-key-or-pfx-from-p7b-and-crt
trinity2007Author Commented:
I believe I have it all set now.  Generated CSR, uploaded to our CA and generated a .key file from the private key portion of the CSR.  Used openssl from a Linux box to combine the .crt and .key file into a pfx file.  Added the .pfx certificate into the Certificates for RDS, and installed the Intermediate cert for IIS.  Reset IIS, page finally comes up with no cert errors with using either I.E., Firefox or Chrome.  We even went a step further and created a DNS Cname entry so our users can type in just a name:  i.e.....RemoteApp and get redirected to the correct site.
Thank you for your patience and persistence!  I certainly appreciate your assistance!!
btanExec ConsultantCommented:
Good to hear it all work out w/o 3rd party CA :)
I believe you used below for the "combine the .crt and .key file into a pfx file"
>> "openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt"
Also just for info there is Windos openssl @ http://slproweb.com/products/Win32OpenSSL.html

Glad to have help!
trinity2007Author Commented:
Yes, used the command you have indicated above.
Thank you again for your assistance, you have been most helpful!
btanExec ConsultantCommented:
Appreciate it thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.