I've been noticing some announcements like this one:
That certificates to internal hostnames can no longer be issued by trusted certificate authorities past X date. This is going to pose somewhat of an annoying issue for folks with Remote Desktop farms/deployments that utilize a gateway to access the session hosts behind it.
In the case where your internal DNS domain matches your external DNS domain, this doesn't matter, but there are plenty of folks who utilize a .local on the inside, which will be part of the connection broker address in a 2012 deployment for example. If you can't get a trusted certificate with an internal hostname, is the only solution to use an internal CA? Even if you do use an internal CA, you're still going to have to manually deploy the root certificate to external machines which is a complete mess.
Am I missing something?