Over the last couple of months i have been asked a number of questions with regards to certificate warnings relating to the session host server. To simplify the process of deploying/replacing the default RDP certificate on the Session host, i have written a PowerShell Script that takes care of the installation of a trusted certificate.
This script prompts for the following Inputs:
- The location of the PFX Certificate ( I recommend you use a local Path)
- The Certificate Password
- The Certificate Thumbprint ( you can copy & paste this during the process of running the script)
Follow the steps and the requested inputs from the script and you should not go wrong.
Questions and feedback is welcome
Ryan Mangan's IT Blog 
Thanks for the script 🙂 You can also force servers to automatically retrieve a CA-signed certificate from a domain integrated CA based on a certain template through a group policy. See section “Use Trusted Certificates for RDP” in http://www.sepago.de/d/nicholas/2013/12/13/useful-features-in-remote-desktop-services-for-cloud-based-labs
Best regards,
Nicholas
Nice thanks for the heads up 🙂 really interesting .
Nicholas/Ryan,
So if I have rds.local (intranet) and rds.domain.com (internet). I could tell all my pc to use the external cert generated by third party CA? Do need to change any of the certificates settings in RDS – Configure the deployment – Manage certificates or should I leave all the Role Services as the local signed certificate?
Hi Fred,
From the sounds of things, you are accessing RDS Externally as well as internally so you will be using both .com/.local
The issue you will face is that RDS uses the certificates to authenticate with Clients….. this means if you have .com certificates for your servers then when .local users log on you will get certificate errors and warnings.
There are a number of ways around this but it does require some work. If you have configured everything to use a .local certificate then a easy fix would be to use a VPN to connect to RDS.
you can make changes to DNS like a split brain DNS meaning you have both internal and external DNS records held on your Domain Controllers. This would mean that you will need to double handle every company public IP address as in enter it into your internal DNS.
There is a lot of food for though here, i would start with confirming what you want to achieve and then we can go from there.
Best regards,
in addition to my previous comments, if you don’t mind the certificate warnings, don’t change the Session host RDP certificates. If you make the change from the default, when DNS names don’t match authentication will fail, meaning that you will not be able to access the session hosts.
When using a RDS HA Farm, do my Session host certificates need to be from a third party CA? I have an internal certificate authority. Can I use that to issue the certificate, or does it have to be third party.
I’m not sure if my previous post worked. We ran the script with success, when we restarted the RDC service, we got kicked out and could not get back in, we had to reset to the self signed SSL .local certificate to get logged in. Any ideas? we cannot use the .local certificate because it fails PCI compliance.
IT sounds like a certificate miss match ?
Hello Ryan
I have a public wildcard certificate and it’s used for external access ” *.domain.com”, but i receive a warning when connecting that the name of server broker ” SRV-Broker.domain.local” does not exist in certificate, to resolve this issue i m using another wildcard generated from CA locally.
another warning is displayning that the “revocation check could not be performed for the certificate”
Any suggestion to resolve this error?
Thank you
The issue is that your .local is different to your internal. TP has created a tool that can resolve this. you can find it here: https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
Very helpful. Thanks for taking the time to write this.