How install SSL certificate for RDS on windows server 2016?
Solution 1:
Finally I found solution!
- First of all, name of the server had to be changed by adding DNS suffix. For example, if you want to connect to the server by srv.example.com address, your server name should be "srv" and DNS suffix "example.com". It can be done in computer properties.
- Then setup licensing in "RD Licensing Manager"
- Now issue certificate to domain name srv.example.com (i.e. in Let's encrypt)
- Convert let's encrypt cert files into windows one via:
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
(Linux command) if you issued certificate with help of acme.sh, you command should look like:openssl pkcs12 -export -out certificate.pfx -inkey yourdomain.com.key -in yourdomain.com.cer -certfile fullchain.cer
- Install converted certificate to personal store at the computer level. Not at user level
- Then with this command display the thumbprint of the certificate, copy it to a text file or something similar:
Get-ChildItem "Cert:\LocalMachine\My"
- This is a variable to set the WMI path to the RD Session Host RDP listener (Where the certificate needs to be changed):
$PATH = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices)
- Finally this is the command to change the active certificate on the RDP listener:
Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash="thumbprint"}
The "thumbprint" above, is the value you noted earlier, just insert it between the ". - Well done! Now you have RDP server with custom SSL cert without installing RD Gateway Credits
Solution 2:
Launch certlm.msc and import the cert into the "Personal -> Certificates" store. After it's installed, launch Server Manger and select the Remote Desktop role icon on the left. click the "Tasks" dropdown in the "Deployment Overview" section, then click "Edit Deployment Properties" in the context menu that appears. You'll be able to assign the certificate you imported to roles by clicking the "Select existing certificate" button.
You should still configure the certificate settings whether or not you have the Gateway role installed.
Solution 3:
Partly solution with the help of MS community I have found there: https://www.risual.com/2014/03/10/setting-up-a-2012-r2-rds-gateway-for-a-workgroup/. Summary to this article: to make license server issue certificates just to the Internet address like that srv.example.com instead of only "example" (computer name) the DNS suffix should be added in computer properties:
By the way, the problem still exists in the way that the server for RDP connections still uses self-issued certificate (even If I am deleting it and leaving only let'sencrypt cert). On each RD services restart it issues new one instead of using mine. How can I make it to use lets encrypt cert?
Of course, I know, that I can export public key for self-generated cert and add it to employee's PCs, but it is not good solution in my opinion.