RDS 2012 RDSH Certificate deployment script

Over the last couple of months i have been asked a number of questions with regards to certificate warnings relating to the session host server. To simplify the process of deploying/replacing the default RDP certificate on the Session host, i have written a PowerShell Script that takes care of the installation of a trusted certificate.

This script prompts for the following Inputs:

  • The location of the PFX Certificate ( I recommend you use a local Path)
  • The Certificate Password
  • The Certificate Thumbprint ( you can copy & paste this during the process of running the script)

Follow the steps and the requested inputs from the script and you should not go wrong.

Questions and feedback is welcome

Download the Script Here



14 thoughts on “RDS 2012 RDSH Certificate deployment script

Add yours

    1. Nicholas/Ryan,

      So if I have rds.local (intranet) and rds.domain.com (internet). I could tell all my pc to use the external cert generated by third party CA? Do need to change any of the certificates settings in RDS – Configure the deployment – Manage certificates or should I leave all the Role Services as the local signed certificate?

  1. Hi Fred,

    From the sounds of things, you are accessing RDS Externally as well as internally so you will be using both .com/.local

    The issue you will face is that RDS uses the certificates to authenticate with Clients….. this means if you have .com certificates for your servers then when .local users log on you will get certificate errors and warnings.

    There are a number of ways around this but it does require some work. If you have configured everything to use a .local certificate then a easy fix would be to use a VPN to connect to RDS.

    you can make changes to DNS like a split brain DNS meaning you have both internal and external DNS records held on your Domain Controllers. This would mean that you will need to double handle every company public IP address as in enter it into your internal DNS.

    There is a lot of food for though here, i would start with confirming what you want to achieve and then we can go from there.

    Best regards,

  2. in addition to my previous comments, if you don’t mind the certificate warnings, don’t change the Session host RDP certificates. If you make the change from the default, when DNS names don’t match authentication will fail, meaning that you will not be able to access the session hosts.

  3. When using a RDS HA Farm, do my Session host certificates need to be from a third party CA? I have an internal certificate authority. Can I use that to issue the certificate, or does it have to be third party.

  4. I’m not sure if my previous post worked. We ran the script with success, when we restarted the RDC service, we got kicked out and could not get back in, we had to reset to the self signed SSL .local certificate to get logged in. Any ideas? we cannot use the .local certificate because it fails PCI compliance.

  5. Hello Ryan
    I have a public wildcard certificate and it’s used for external access ” *.domain.com”, but i receive a warning when connecting that the name of server broker ” SRV-Broker.domain.local” does not exist in certificate, to resolve this issue i m using another wildcard generated from CA locally.
    another warning is displayning that the “revocation check could not be performed for the certificate”
    Any suggestion to resolve this error?

    Thank you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: