Windows Server: How to Use Trusted Certificates with Remote Desktop Services

Several components of RDS can use certificates to provide secure communications. Self-signed certificates can be used, but they must be manually installed on clients in order to be trusted. Certificates issued by a trusted CA are automatically trusted by clients, but configuring RDS to use these certificates is not straightforward for two reasons:

• There is no integrated mechanism within RDS for creating a certificate signing request (CSR).
• A certificate received from a CA must be bound to its private key before RDS can use it.

This article shows how to generate a CSR, use the issued certificate to complete the CSR, and configure RDS to use the certificate.

Generate the CSR and submit it to the CA.

1. Launch Internet Information Services (IIS) Manager from the Tools menu of Server Manager.
2. Select the server in the left pane and double-click Server Certificates in the middle pane.
3. In the Actions menu, select Create Certificate Request.
   
   Figure 1: Click Create Certificate Request to begin the process of creating a CSR.
4. Provide the requested information to the CSR wizard.
5. Specify a filename and path for the CSR and click Finish.
    
   Figure 2: Specify a file name and path for the certificate request.
6. Submit the CSR to the CA. The procedure for doing so cannot be documented here, as it depends on the CA.

Download the certificate, complete the CSR, and export it.

1. Download the certificate issued by the CA in response to the CSR.
2. Launch IIS Manager and return to the Server Certificates section.
3. Click Complete Certificate Request.
   
   Figure 3: Click Complete Certificate Request to complete the CSR using the certificate issued by the CA.
4. Provide the path and filename of the certificate, its friendly name, and the certificate store where it should be stored. The friendly name can be anything you want, and the Personal store is preferred. Click OK. This associates the certificate with the private key that was created alongside the CSR.
    
   Figure 4: Specify the path to the certificate, its friendly name, and a certificate store.
5. Double-click the certificate. Confirm the presence of a corresponding private key and click OK.
    
   Figure 5: The properties of the certificate, indicating the presence of its private key
6. With the certificate selected, click Export.
   
   Figure 6: Click Export to export the certificate and its private key. 
7. Provide a filename and path for the exported certificate. Specify a password and confirm it, then click OK.
    
   Figure 7: Provide the filename, path, and password of the exported certificate.

Configure RDS to use the certificate.

1. In the Remote Desktop Services section of Server Manager, select Edit Deployment Properties.
    
   Figure 8: Click Edit Deployment Properties to configure certificate usage in RDS.
2. In the properties window, select Certificates.
3. Perform the following steps for each role service:
   1. Select the role service and click Select existing certificate.
      
      Figure 9: Click Select existing certificate to specify a certificate for each role service.  
   2. With Choose a different certificate selected, provide the path to the exported certificate and its password.
      Select Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers.
       
      Figure 10: Specify the path and password of the certificate to the used, then check the Allow the certificate… box.
   3. Click OK.
   4. Click Apply.
4. Confirm that the Level column shows a status of Trusted for each role service and click OK.
    
   Figure 11: The certificates used by all RDS role services are now trusted.

Refer to this video: