Hello, my name is David. I'm a Principal Engineer with Dell, and in this video, I'll be demonstrating how to configure Remote Desktop Services to use a trusted third-party certificate. Certificates can be used by several components of Remote Desktop Services, including Remote Desktop Web Access and Remote Desktop Gateway. You can use self-signed certificates with Remote Desktop Services, but since self-signed certificates are not inherently trusted, clients have to be manually configured to trust them, which just results in a lot of extra work.
In this demonstration, I'll be using the same trusted certificate for all Remote Desktop Services, but it is possible to use different certificates for different services with one specific constraint that I'll address when we get there. To begin, we need to issue a Certificate Signing Request or CSR. There are several ways to do this, but I'll use IIS Manager as it's fairly intuitive. With the server selected in the left pane, we need to go to 'Server Certificates', double-click that, and this shows any existing certificates on the server.
Right now, there's just a self-signed certificate there, so we click on 'Create Certificate Request' in the right pane and then fill out these fields. The common name should match the certificate subject name, but in this lab environment, the rest of the fields don't really matter. However, the fields are required, so I'll add some information, then click 'Next'. Here, we can choose the Cryptographic Service Provider and the bit length. I'll leave those at the default for purposes of this demonstration and just click Next' again. Then, I need to specify the file where the certificate request will be stored.
It's just going to be a text file, and I'm just going to store it in this 'cert' folder that I created for this purpose. I'll give it a name and click 'Finish', and the request has now been created. I'll go check the directory and make sure it's there. If I open the certificate request, you can see that's what it looks like. That's just a standard certificate request. At this point, I need to submit the request to the Certification Authority or CA. The procedure for doing that differs according to the CA. In this case, I need to copy the contents of the request file into a particular field. Some CAs may have you upload the text file itself.
I'm not going to demonstrate the procedure of submitting the request and receiving the certificate since it differs so much. Instead, we'll just skip ahead a bit. The certificate has now been issued, and I've downloaded it into that same folder. It's a CER file, which is one of the common extensions for certificate files, but I can't use a CER file with RDS. It requires a PFX file. If I look at the file itself, we can see information about the certificate and about the CA that issued it. Notably, there's nothing here about the private key because the certificate has not yet been associated with its private key, which was generated when the request was generated.
We need to bind it to the private key before we can use it for RDS. To do that, we go back to IIS Manager and click Complete Certificate Request'. Then, we choose the certificate file, give it a friendly name, which will be the certificate subject name, and specify a certificate store where it should be stored. Click 'OK', and we can see now that it shows up in the list of server certificates. If we look at the properties of the certificate, you see a note down there that says we do have a private key that corresponds to this certificate, so it has been bound to its private key now, and it can be used by RDS. First, we need to export it. To do that, from this same console, we click 'Export', give it a file name, and it's going to be, as you can see, a PFX file.
Now, just save it in the same folder, and we have to assign a password to the private key. This is for protection of the key. Click 'OK' there, and if I go back to the folder, you'll now see that there's a PFX file in there, and that is the file that we can import into RDS. To do that, we go to the 'Remote Desktop Services' section of Server Manager and to the 'Deployment Properties'. In the 'Deployment Properties' window, there's a Certificate' section, and at the moment, it's configured to use a self-signed certificate for all four of these role services.
As I mentioned, you can use a different certificate for each service, but I'm going to use the same one for all four. To do that, we select one of the role services and then click the button labeled 'Select Existing Certificate', then select 'Choose a Different Certificate', click the 'Browse' button, and browse to the PFX file. Open that, specify the password that we set on that file, and then click the box that says 'Allow the Certificates to be Added' and click 'OK'. You have to do this same procedure for each role service. You have to click 'Apply' after you've done each one and then wait a minute for it to apply the certificate. Unfortunately, you can't do all four at once, so this part of the procedure gets a little tedious.
I will skip ahead just so you don't have to watch me do the same thing four times in a row. I do want to note the warning that appears here saying that you should use the same certificate for Remote Desktop Gateway and Remote Desktop Web Access. That's a best practice from Microsoft. Now, I've configured all four role services to use that certificate. You can see the state shows 'Success' for all of them and that the trust level shows 'Trusted'. So, we click 'OK' to finalize that, and now we'll test this from a different machine.
I'll do a very simple test. I'll launch a web browser and browse to the Remote Desktop Web Access login page, and you can see it comes up without a certificate warning. If we look at the certificate itself, you can tell that it is the certificate we just configured. The common name matches, the CA name matches, and the issue date and the expiry date match.
So, this has been how to configure Remote Desktop Services to use a trusted third-party certificate. I hope it's been useful. Once again, my name is David. I'm a Principal Engineer with Dell, and thank you for watching.
