setup secured connection in my Windows 2012 RDS environment

nav2567
nav2567 used Ask the Experts™
on
I need to setup secured connection for my Windows 2012 RDS environment.

If I do not use a wild card cert, is it possible to create a CSR that includes the host name of my RDS component servers?  So, I can add that to the RD Connection Broker - Enable Single Sign On and Publishing role service on my broker server.

If yes, please instruct how.  Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Yes, it's possible. You have to use the certificates MMC snap-in to do it, though. https://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx has instructions under the section "To use the Certificate Enrollment wizard with a standalone CA"

Author

Commented:
Thanks.

According to the instruction, under Certificate Properties>Subject Name>Type>Common Name>VALUE, do I need to Add all FQDN of my farm servers?  

mybroker.mydomain.com
myrdsh1.mydomain.com
myrdsh2.mydomain.com???

Do I need to specify any Alternative Name?

In the farm, I also have a web server (mywebserver.mydomain.com) which hosts a client website rdweb.mydomain.com.  

Do I enter the rdweb.mydomain.com and mywebserver.mydomain.com in the Common Name>Value also?

I do not plan to use the RD Gateway as the rdweb site is only used internally.

Author

Commented:
Also, besides using certreq, is there another gui way to complete the certificate enrollment?
Senior Systems Admin
Top Expert 2010
Commented:
The certificates snapin is the only way if IIS is not installed. If IIS is installed, you can build a certificate request in there, but it doesn't let you build SAN certs.

The Common Name is going to be just one of the names you use to access the server with. You will add the rest of the names as Alternate names. SAN stands for Subject Alternate Name in this context. So, for example, you could use rdweb.mydomain.com as the Common name (or the farm name as the common name, up to you), then add the remaining FQDNs as Alternate names. It doesn't matter which name you use for the Common name, as long as all the FQDNs you use are listed as either the Common name or an Alternate Name.

Author

Commented:
Adam, thanks!!!

Besides using certreq, is there another gui way to complete the certificate enrollment?

If no, would you help me out with the command parameters I will need once I have the mycert.crt and mycert.p7b (intermediate cert) from a 3rd party cA?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial