Below are general steps to purchase\/install a Trusted SSL Certificate for use with Remote Desktop Gateway (RDGW) and Remote Desktop Session Host (RDSH) that are installed on the same\/single server in workgroup mode.\u00a0 We created this based on using a Trusted SSL Cert from GoDadddy.\u00a0 Our clients can ask for a more detailed tutorial of this process too.<\/p>\n\n\n\n
1. Assumes you have already installed the RDSH and RDGW roles on the remote Windows Server.<\/strong><\/p>\n\n\n\n 2. You need to have the subdomain\/url\/domain name that you will purchase the ssl cert for to forward to the IP address of the server.<\/strong>\u00a0 In this example, we want \u201cRDP.widgets.com\u201d to point to IP address of the server xxx.xxx.xxx.xxx. You already own the domain name for widgets.com (which can be any domain name you own through a registrar like GoDaddy).<\/p>\n\n\n\n Go to the parent domain name in GoDaddy, click on Manage DNS, go to zone file section and click \u201cadd record\u201d.\u00a0 Add \u201cA (Host)\u201d record type and add \u201cRDP\u201d (or whatever you are using in front of the domain name) which will make it be \u201cRDP.widgets.com\u201d and the IP address of the remote server.\u00a0 Click ok\/save and after a few minutes you will be able to ping the full name\/url and it should return the IP address of the remote server.<\/p>\n\n\n\n We have tried to use Let\u2019s Encrypt (free certs expiring every 60 days) but found it difficult to use with Windows IIS at the time.<\/p>\n\n\n\n 3. Create Certificate Request on the remote Windows Server using IIS Manger<\/strong><\/p>\n\n\n\n Open IIS Manager on remote Windows Server, in the left side pane under connections, click on your server name. In the middle window, double-click \u201cserver certificates\u201d icon which will open the server certificates screen showing your currently used self-signed cert. In the far right screen under actions, click \u201ccreate certificate request\u201d.<\/p>\n\n\n\n Fill out the appropriate fields including, Common name (use the exact name of the url you are requesting for the ssl cert \u2013 i.e. \u201cRDP.widgets.com\u201d), Organization and Organization unit could be your legal name, State should be spelled out and not abbreviated, and County can be US.\u00a0 We recommend changing the bit length to 2048 for crypto.\u00a0 Create filename for CSR (CSR=certificate signing request) which will be saved in c:\\windows\\system32 unless you specify full path in the file name request.<\/p>\n\n\n\n 4. Purchase SSL Cert at GoDaddy by inputting CSR info<\/strong><\/p>\n\n\n\n Go back into your GoDaddy account. Purchase a SSL cert (we did DV type in this example) at GoDaddy ($79.99\/yr although may be able to find discount code for year 1). After purchase go back into GoDaddy account to SSL cert and press \u201csetup\u201d. <\/p>\n\n\n\n Click on New Certificate, then choose \u201cInput a CSR\u201d (you will use the CSR you generated on the remote server via IIS Manager). Do not select \u201cDomain hosted with GoDaddy\u201d. Type in domain\/url field for what you want the SSL cert to issued for, for example \u201cRDP.widgets.com\u201d. <\/p>\n\n\n\n Copy in the CSR text from the file you created on the remote server, using the entire text including \u201c—-BEG\u2026—- and —-END\u2026—-” characters. Select the default GoDaddy SSL algorithm.<\/p>\n\n\n\n You will see the SSL Cert fields change to pending verification and you will have to wait approximately 20 minutes for it to change to ready\/certificate issued.<\/p>\n\n\n\n 5. Download SSL Cert from GoDaddy and copy it to remote server and install it in IIS Manager<\/strong><\/p>\n\n\n\n Click download, choose IIS (Windows) and it will download the .zip file with certificate. Copy this .zip file to the remote server and extract it.<\/p>\n\n\n\n Go back into remote Windows Server, IIS manager, the server certificates icon\/section and click on \u201ccomplete certificate request\u201d under actions.<\/p>\n\n\n\n Attach the security cert from the godaddy zip file and create friendly name (the friendly name is just to identify the certificate).\u00a0 You can put it in the personal store.\u00a0 For our example, we were able to skip doing anything with the intermediate cert and only had to attach the actual security cert.\u00a0 In order to attach the security cert, we had to change the file type selection dropdown to show all files. Press OK and exist IIS manager.\u00a0 Make sure you keep track of the ssl cert expiration date so you renew\/reinstall prior to that date otherwise you will be locked out of the remote server.<\/p>\n\n\n\n 6. Modify settings on remote Windows Server in RD Gateway Manager to use new SSL cert<\/strong><\/p>\n\n\n\n Open Remote Desktop Gateway Manager, then properties and the SSL Cert tab. Click on existing cert from personal store and select your new SSL cert. Press Import, which will restart Gateway services and your current connection will be disconnected. You will then have to connect with the new url\/ssl cert name in your local RDP connection client. <\/p>\n\n\n\n Go back to your local RDP connection client (shortcut on desktop if you created that previously) and change IP address in computer name field (general tab) and gateway name (advanced tab) from IP address to the url\/ssl cert\/fqdn you created \u2013 for example, \u201cRDP.widgets.com\u201d <\/p>\n\n\n\n 7. Modify setting on remote Windows Server for RD Session Host to use new SSL cert (if needed)<\/strong><\/p>\n\n\n\n If you see the warning that certificate name doesn\u2019t match and isn\u2019t from a trusted CA, then it is because the new GoDaddy cert isn\u2019t being used for the RDSH (it is being used for RDGW but not RDSH even though they are both on the same server) and the self signed cert is still being used for the RDSH. This seems to almost always happen in our experience. (Note: this warning is different than then the \u201cunknown publisher\u201d warning you may see because you are using a custom rdp connection file shortcut\u2026for the \u201cunknown publisher\u201d warning you can click \u201cdon\u2019t ask me again\u2026\u201d if you don\u2019t want to see that message again.)<\/p>\n\n\n\n To fix this, use powershell (run as admin) below to change the certificate used for RDSH (NOT GW) to the GoDaddy SSL cert you purchased. Type each line separately below exactly as shown except the thumbprint info in row 3 will need to be added after the row 1 info has generated (after the first line\/row is entered, you will see the thumbprint for the new ssl cert which you will need to enter for line 3 between the \u201c\u201d). <\/p>\n\n\n\n Get-ChildItem “Cert:\\LocalMachine\\My”<\/p>\n\n\n\n $PATH = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\\cimv2\\terminalservices)<\/p>\n\n\n\n Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash=”ENTER-THUMBPRINT-HERE<\/strong>“}<\/p>\n\n\n\n Next try to connect again and you should not see the Certificate error message anymore.<\/p>\n\n\n\n Lastly, some clients have noted that they had to enter username as SERVERNAME\\username when connecting via rdp connection client, so if you are still having issues, try that method in the rdp file too.<\/p>\n","protected":false},"excerpt":{"rendered":" Below are general steps to purchase\/install a Trusted SSL Certificate for use with Remote Desktop Gateway (RDGW) and Remote Desktop Session Host (RDSH) that are installed on the same\/single server in workgroup mode.\u00a0 We created this based on using a Trusted SSL Cert from GoDadddy.\u00a0 Our clients can ask for a more detailed tutorial of […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,105,7,15,99],"tags":[108,106,107],"class_list":["post-1772","post","type-post","status-publish","format-standard","hentry","category-all-posts","category-remote-desktop-gateway","category-remote-desktop-hosting","category-windows-server-2016","category-windows-server-2019","tag-remote-desktop-gateway-ssl","tag-ssl-certificate-on-rdgw","tag-ssl-certificate-on-rdsh"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1772","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/comments?post=1772"}],"version-history":[{"count":1,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1772\/revisions"}],"predecessor-version":[{"id":1773,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1772\/revisions\/1773"}],"wp:attachment":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/media?parent=1772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/categories?post=1772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/tags?post=1772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}