trinity2007
asked on
Windows 2008 R2 Certificate Authority - Generate new certificate
I'm new with working with generating certificates from a local CA server. We are running a Windows 2008 R2 Standard server, roles are this server include: Domain Controller, DHCP, DNS and Certificate Authority. I have another server: Windows 2012 Remote Desktop Services which we will be using to publish remote apps for some software in the environment, which I need to create a server authentication certificate. This will be internal facing only. I would like to use the CA server to generate a certificate as part of the requirements for RDS. I've not done this in the past and would request assistance or guidance in doing so.
Thank you,
Thank you,
ASKER
Very good links, I will read through these. Thank you. Another question is for the RDS setup I need to generate certificates for the RD Web Access, and the RD Connection Broker. Do I generate (or create) a new certificate right from 'configuring the deployment' for each role?
Thank you again for your assistance. I'm new to certificates and understanding them.
Thank you again for your assistance. I'm new to certificates and understanding them.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We are a small company, and I have 2 RDS servers set up, with all roles except the RD Gateway. We had originally planned on setting up an HA environment, but business requirements have since changed. With this in mind, I should be able to use the single certificate for all the roles, since all clients are internal to the domain and we are just using the one RDS server, correct?
Thank you,
Thank you,
yes - Wildcard cert then with .LOCAL can be an option
Selecting which certificate to use>
Now that you have created your certificates and understand their contents, you need to configure Remote Desktop to use those certificates.
On the Connection Broker, open the Server Manager. Click Remote Desktop Services in the left navigation pane.
Click Tasks > Edit Deployment Properties.
In the Configure the deployment window, click Certificates.
Click Select existing certificates, and then browse to the location where you saved the certificate you created previously. Look for the file with the .pfx extension.
Import the certificate.
You can use a single certificate for all the roles if your clients are internal to the domain only, by generating a wildcard certificate (*.CONTOSO.local) and binding it to all roles.
Note that, even if you have multiple servers in the deployment, Server Manager will import the certificate to all servers, place the certificate in the trusted root for each server, and then bind the certificate to the respective roles.
ASKER
My next question is this: (keeping in mind I'm not a certificate expert). We have an Enterprise CA server - Windows 2008 R2 Standard, how do I generate the .pfx certificate?
If you request the cert from the server as shared in the URL and I preached you look through first the key will already be installed in the servers. Otherwise, as you req for the cert, you can click to make the key exportable and you can then get your pfx (or private keys) per se... for info - http://thewindowsadmin.com/?p=106
ASKER
I'm still struggling with creating the certificate to import onto the Windows 2012 the RDS roles. On our 2008 R2 Standard Server w/CA set up, I created the Certificate Template; named it RDS-Cert with Intended Purposes of Server Authentication as indicated in the links you provided. but I can't seem to get past the point of what do I need to do next? I believe I'm making this harder than it is. This is the first time working with a CA server and I apologize for my misunderstanding.
Thank you,
Thank you,
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can review your notes this afternoon...thank you so much!!
ASKER
From our Enterprise CA server I followed steps 1 through 8, and added to the RD Farm servers.
Step 7: Exported key from CA server: Certificate Enrollment Requests>Certificates
Exported locally on CA server, and copied over to the RDS server
Step 8: Imported cert (that I had copied over from the CA server) into the RDS console, making sure to check 'Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers.
Received message that it was a 'success'. However, displays as 'untrusted' in the Manage Certificates console and web site still is 'untrusted'.
When viewing the certificates on the RDS server, I see the 'Issued by' and Issued to' columns display the same name (the RDS server name). Shouldn't the Issued by show our CA server name since that is where it should have actually generated from? Perhaps the signing is not correct and that's why it still shows as untrusted?
Did I miss a step along the way....
Thank you again for your patience!
Step 7: Exported key from CA server: Certificate Enrollment Requests>Certificates
Exported locally on CA server, and copied over to the RDS server
Step 8: Imported cert (that I had copied over from the CA server) into the RDS console, making sure to check 'Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers.
Received message that it was a 'success'. However, displays as 'untrusted' in the Manage Certificates console and web site still is 'untrusted'.
When viewing the certificates on the RDS server, I see the 'Issued by' and Issued to' columns display the same name (the RDS server name). Shouldn't the Issued by show our CA server name since that is where it should have actually generated from? Perhaps the signing is not correct and that's why it still shows as untrusted?
Did I miss a step along the way....
Thank you again for your patience!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you, we have decided to go the wildcard cert after all. In the process of getting that set now through GoDaddy.
Sure may be more straightforward for a start too. Just a note besides those discussed, GD will give you a CRT or KEY instead of PFX (private key) which you need some conversion e.g. https://www.sslshopper.com/ssl-converter.html
Then can be importable via the Deployment Properties section. For other in trusted store etc, you can go via MMC
Then can be importable via the Deployment Properties section. For other in trusted store etc, you can go via MMC
ASKER
I have 2 .crt files I downloaded in a zip file from GoDaddy (downloaded as 'other'). I don't see the 'private key' file associated to either of these files. I have downloaded openssl for Win7 x64 bit, and placed under the C:\ drive.
I'm assuming I'll need to generate the private key file?
Thanks again.
I'm assuming I'll need to generate the private key file?
Thanks again.
You do not have any private key from the CRT files, pse see the link on
http://stackoverflow.com/questions/14651599/certificate-issue-key-or-pfx-from-p7b-and-crt
http://stackoverflow.com/questions/14651599/certificate-issue-key-or-pfx-from-p7b-and-crt
ASKER
I believe I have it all set now. Generated CSR, uploaded to our CA and generated a .key file from the private key portion of the CSR. Used openssl from a Linux box to combine the .crt and .key file into a pfx file. Added the .pfx certificate into the Certificates for RDS, and installed the Intermediate cert for IIS. Reset IIS, page finally comes up with no cert errors with using either I.E., Firefox or Chrome. We even went a step further and created a DNS Cname entry so our users can type in just a name: i.e.....RemoteApp and get redirected to the correct site.
Thank you for your patience and persistence! I certainly appreciate your assistance!!
Thank you for your patience and persistence! I certainly appreciate your assistance!!
Good to hear it all work out w/o 3rd party CA :)
I believe you used below for the "combine the .crt and .key file into a pfx file"
>> "openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt"
Also just for info there is Windos openssl @ http://slproweb.com/products/Win32OpenSSL.html
Glad to have help!
I believe you used below for the "combine the .crt and .key file into a pfx file"
>> "openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt"
Also just for info there is Windos openssl @ http://slproweb.com/products/Win32OpenSSL.html
Glad to have help!
ASKER
Yes, used the command you have indicated above.
Thank you again for your assistance, you have been most helpful!
Thank you again for your assistance, you have been most helpful!
Appreciate it thanks!
- first creating a new CA certificate template having an extended key usage to limit its use to only RD TLS sessions.
- second, configuring a GPO setting to automatically configure servers to request a certificate via this template, and eventually use that certificate for RDP TLS.
- finally, refreshing the GPO on the target server, and test out the connection via a stand-alone computer to verify to sees the certificate deployed as planned.
Likewise for more details, you can check out the suggested links for the setup of RDS and CA as req (https://technet.microsoft.com/en-us/library/cc725949.aspx) to get the server certificate since it is internal only. Also do note RDS use case and req https://technet.microsoft.com/en-us/library/dn781533.aspx