Should Remote Desktop use a dedicated certificate template?
Solution 1:
Automatic Certificate Request Settings (ACRS) only enrolls V1 certificate templates (Windows 2000 only supported this method). These are inflexible.
In general, any certificate including an EKU of Server Authentication (and containing a subject and/or SAN containing the DNS name the RDP client is validating against) should be usable for Remote Desktop-class certificates.
Should you use a separate certificate? It depends on the security profile of the certificates you're deploying to the machine.
- If the key isn't useful for other things, then it doesn't really matter.
- If you were going to give every client 2 certificates anyway, it might not matter.
- If your RDP auth profile is significantly different from every other certificate provided to the device, it's worth keeping it as a different certificate type.
- If you're providing certificates for another purpose as well - like SCCM authentication and management, or VPN, or both - could those other Client Authentication certificates be combined with Server Authentication to produce an all-in-one device certificate?
- again, key tradeoffs: more certificates may = more management; fewer may be easier to manage, but evaluate security capabilities and tradeoffs carefully