Install a Remote Desktop Services SSL Certificate
Understanding how to install an SSL certificate from an Enterprise Certificate Authority (CA) for Remote Desktop Services seems to be a challenge. More often than not, a server running Remote Desktop Services, or Terminal Services does not have IIS installed, which makes certificate request a little more challenging.
After much reading and research we have discovered the quickest and easiest way to request and install a SSL Certificate form an Enterprise CA. Using the certreq.exe command from the command line of Windows 2008 or Windows 2008 R2, we are able to generate the SSL certificate request and output it as a “CSR” file, which you can then upload to your certificate authorities website, or just copy and paste the contents. Following that, once we have received our new certificate, we can accept and import the new certificate ready to select within the Remote Desktop Session Host Configuration. And believe it or not, this will take us no more than 5 minutes, excluding the time it takes your CA to process your certificate request.
Step 1: Create a request.inf file
Open your favourite text editor and enter in the code displayed below. Edit the subject line to suit your certificate requirements. Pay particular attention to the following attributes in the “Subject” line:
- CN – this should be the FQDN (fully qualified domain name) for your certificate. This is usually the public DNS name for your server, but in some cases it may just be the local intranet DNS name, depending on your network design and configuration
- OU – this is your Organizational unit name, normally being your company name
- C – this is your Country Code for the certificate. Click here for the list of SSL Certificate Request Country Codes
Your certificate authority may require some other key attributes within the certificate request, so it is best to check into their request requirements.
Contents to include in your request.inf file:
;—————– request.inf —————–
;Change to your,country code, company name and common name
Subject = “C=US, O=Example Co, CN=something.example.com”
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID=220.127.116.11.18.104.22.168.1 ; this is for Server Authentication / Token Signing
This request.inf file meets Comodo’s certificate request requirements and it should be suitable for most certificate authorities, but once again it would be best to check their individual requirements.
Once you have this code entered into your text editor and you have updated all the relevant information to suit your requirements, save the file into a convenient location that can be accessed easily from the Windows Command Prompt. Save the file as “request.inf”. For this example we will be saving the file in the root of our servers C: (ie: c:\request.inf)
Step 2: Generate the Certificate Request
Now we are onto the quick and easy stuff. Open up your command prompt either from the start menu or by running the command “cmd”. At the C prompt, run the following command
certreq –new request.inf request.csr
This will generate a certificate request in PKCS10 format and save it into the root of our C drive as “request.csr”. From here you need to request your SSL certificate from your CA using either this generated file or its encrypted contents.
Step 3: Installing the Certificate
Once you have received your certificate from your CA, save the CER file into the root folder of your C drive. Take note of the certificates name, as you will need it for the following command. Once again, open the Windows command prompt and run the following command, where something_example_com.cer is replaced with the filename of your newly received certificate.
certreq –accept something_example_com.cer
This will install the certificate into the Windows Certificate Store, where it is accessible from your server’s Remote Desktop Session Host Configuration.
Step 4: Configuring Remote Desktop Services with your new SSL Certificate
Now let’s put our new SSL certificate to use.
- Open “Remote Desktop Session Host Configuration” from “Administrative Tools”
- Double click the relevant RDP connection in the connections section as shown below
- On the General tab, you will see the Security information and options, along with a “Select” button to allow selection of your SSL certificate. Click “Select”
- Now select the newly imported SSL certificate and click “OK”
- Click “OK” once more to close and accept the changes in the TCP Connection Properties window
Congratulations, your certificate is installed and live. The changes take effect immediately, except for currently active RDP sessions. Users need to log out of their session and reconnect to begin utilising the new certificate.