How install SSL certificate for RDS on windows server 2016?

Finally I found solution!

  1. First of all, name of the server had to be changed by adding DNS suffix. For example, if you want to connect to the server by srv.example.com address, your server name should be "srv" and DNS suffix "example.com". It can be done in computer properties.
  2. Then setup licensing in "RD Licensing Manager"
  3. Now issue certificate to domain name srv.example.com (i.e. in Let's encrypt)
  4. Convert let's encrypt cert files into windows one via: openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem (Linux command) if you issued certificate with help of acme.sh, you command should look like: openssl pkcs12 -export -out certificate.pfx -inkey yourdomain.com.key -in yourdomain.com.cer -certfile fullchain.cer
  5. Install converted certificate to personal store at the computer level. Not at user level
  6. Then with this command display the thumbprint of the certificate, copy it to a text file or something similar: Get-ChildItem "Cert:\LocalMachine\My"
  7. This is a variable to set the WMI path to the RD Session Host RDP listener (Where the certificate needs to be changed): $PATH = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices)
  8. Finally this is the command to change the active certificate on the RDP listener: Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash="thumbprint"} The "thumbprint" above, is the value you noted earlier, just insert it between the ".
  9. Well done! Now you have RDP server with custom SSL cert without installing RD Gateway Credits

Launch certlm.msc and import the cert into the "Personal -> Certificates" store. After it's installed, launch Server Manger and select the Remote Desktop role icon on the left. click the "Tasks" dropdown in the "Deployment Overview" section, then click "Edit Deployment Properties" in the context menu that appears. You'll be able to assign the certificate you imported to roles by clicking the "Select existing certificate" button.

You should still configure the certificate settings whether or not you have the Gateway role installed.

Tags:

Windows

Ssl

Windows Server 2012 R2

Windows Server 2016

Remote Desktop Services

Related

How to set up a persistent TCP gender-changer proxy? Does it makes sense from a security perspective to remove the Server HTTP header? Is it possible to populate an S3 bucket through a CloudFormation template? Why do my SSD read latency benchmarks get markedly worse when I put an XFS filesystem on top? ESXi - Multiple Separate Concurrent Uplinks on vSwitch? How can I chown a file to a subuid without sudo DMARC and DKIM alignment with multiple DKIM signatures Is there a way to automatically add network interfaces to systemd-networkd and/or netplan? Why does postfix say 'Helo command rejected: Host not found' when dig finds the host? Why a pod can't connect to another network? (In the new version of Kubernetes) No space left on device even after adding a Persistence Storage on gcloud QSFP28 - is there something like a crossover cable?

Recent Posts