Configuring certificates for remote desktop services

I am quite confused about how to setup and configure certificates for my RDC farm. I have read several Technet articles and they still don't make sense to me, so if you do send me any Technet articles, please help by explaining what I need to do because I am pulling my hair out

1. Am I correct in saying on the Remote Desktop Gateway Server I need to configure an SSL certificate and on the Remote Connection Broker Server I need create a server authentication certificate using the AD Certificates Service?
2. After installing the AD Certificates Service on the remote connection broker server, I am prompted that it needs to be configured before it can be used
* Should I choose enterprise or standalone CA?
*Should I choose Root or subordinate CA?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
enterprise root (in a virtual machine and turned off 99.99% of the time) and a subordinate CA.
btanExec ConsultantCommented:
1. Yes you need the ssl certificate for RD Gateway and connection broker. In fact, the ssl certificates are also required for RD Web access server and RD Session host.

You can get those cert either from
a) your own CA (you need to setup if not available in your case) for the RD gateway server and session host servers. The FQDN used for the certificate subject name can then be your internally (not Internet) accessible and resolvable only. However if you have not even a CA, it can be hassle to manage the PKI aspects for the full CA setup (and those Qns you asked - Enterprise CA is preferred and should be for all domain RDS servers so that you can auto-enroll the certificates as stated in TechNet (link)
b) public 3rd party CA (e.g. GoDaddy, DigiCert etc) with one single ssl certificate that covers RD Gateway and RD web access URL and all session host servers. More for public accessible and resolvable FQDN or even to avoid the CA setup hassle

(otherwise, if the above 2 options are still "hassle", you can still create a self-signed certificate by using the Add Roles Wizard during installation of the Remote Desktop Gateway role service or by using Remote Desktop Gateway Manager after installation)

Not to complicate the discussion but if you are intending to keep separate FQDN for both RD Web access and Gateway, then a single certificate that use Subject Alt Name certificate can hold these FQDNs. Otherwise you need multiple certificate unique to each RD Web access and Gateway

The Fig 10 and 11 diagram may help to visualise the use of the certs and their FQDNs -
DonKwizoteAuthor Commented:
Many Thanks Btan.
I remember reading something similar to what you posted.
I have one server running the RD Gateway, Connection Broker and Web access. Then another virtual host server running the virtual desktops. This environment is just for testing so for now internally-resolvable FQDN will be fine. So is it ONLY an SSL certificate that I need on the the RD Gateway, Connection Broker, Web access, and virtual host server running the virtual desktops? Or do I need any other certificates? I read something about a a server authentication certificate.

Eventually, I would need a 3rd party certificate so that my servers can be accessed externally. Is this a straight-forward thing to do?
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

btanExec ConsultantCommented:
Then go for Self signed instead then going into the CA PKI to make sure functionality is alright. You will not need a 3rd party CA cert for self sign... for instance in Gateway using the steps in
The rest of the servers can used the same one if the subject name of the certificate is wildcard * or has been listed in the SAN of the certificate...The key is the test client is reaching your server via the URL that match your FQDN in the self signed cert.

Otherwise the other via internal MS CA is in
DonKwizoteAuthor Commented:
Btan, thanks for replying. I am getting closer now. I think. My certificates are listed as untrusted. See attachment. How do I correct this?
btanExec ConsultantCommented:
This is because your self-signed certificate does not exist in the RDS server and client PC Trusted Root CA.
You can refer to the following steps:

1.       Type MMC in the RDS server RUN text, you can open the Microsoft Management Console.

2.       Click the File and select the Add/Remove Snap-in, select the “Certificates” in the Available snap-ins area. Then click Add and select the “Computer account”. Click Next, select Local computer: (the computer this console is running on). Click Finish and OK.

3.       Expand the “Certificates”  tree, Personal, Certificates, you can see the Certificates in the right area. For example, the RDS server named Rds2008R2 and the domain name is, you can see a certificate named in this area.

4.       Then you can right click this certificate, select All Tasks->Export, export this certificate as a *.cer file.

5.       Then you must expand the Trusted Root Certification Authorities, right click the Certificates, select All Tasks->Import. Import this certificate to this area.

6.       The same way to import this self-signed certificate to the client PC.

Then you can open the IE in the client PC and type the full URL, this must match as the certificate name. This error message will go off on its own.
btanExec ConsultantCommented:
Eventually if you starts to have external, it is back to have own CA PKI or 3rd party as shared earlier and also mentioned again
We need to have certificate purchase from public CA (trusted authorities) for working with RDWeb and also for external network. The easiest way to get a certificate, if you control the client machines that will be connecting, is to use Active Directory Certificate Services.  You can request and deploy your own certificates and they will be trusted by every machine in the domain. If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA.

Regardless, for now in trial internal testing I see self-signed good enough
DonKwizoteAuthor Commented:
Thanks so much! Things seem a lot clearer now. I will apply those changes and let you know the result.
DonKwizoteAuthor Commented:
Hi Btan,
Just wanted to say a big thanks for all the information you provided. Like you said, I had to import the self-signed certificate on to the client. I take it the clients will be prompted to install the certificate themselves when I use a 3rd party CA for external access?
btanExec ConsultantCommented:
No worries, we learn from one another.
So if the 3rd party CA for external access is required, yes that is required for the client root certstore to have that otherwise the warning on untrusted prompt from browser will show for any ssl site. It is not just for RDS and other site such of this will experience it.
Nevertheless, there is already existing root certstore installed by default in Windows OS. So if the 3rd party is already part of that, then no prompt but very much everyone will just installed it.
So do seek the 3rd party on the importing of their Root cert and corresponding bundled chained cert need to be installed as intermediate, otherwise the prompt will still be seen.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DonKwizoteAuthor Commented:
Many, many thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.