Configure a Certificate for the TS Gateway Server

Applies To: Windows Server 2008

By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between Terminal Services clients and TS Gateway servers over the Internet. For TLS to function correctly, you must install a Secure Sockets Layer-compatible X.509 certificate on the TS Gateway server.

You can obtain a certificate in one of the following ways:

  • You can generate and submit a certificate request to obtain a certificate from a stand-alone or an enterprise certification authority (CA).

  • You can purchase a certificate (or obtain one at no cost on a trial basis) from one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program [as listed in article 931125 in the Microsoft Knowledge Base (].

  • You can use the Add Roles Wizard to create a self-signed certificate when you install the TS Gateway role service, or you can use TS Gateway Manager to do this after TS Gateway is installed.


We recommend that you use a self-signed certificate only for testing and evaluation purposes.

This section describes certificate requirements for the TS Gateway server and provides more information about the different methods that you can use to obtain a certificate. The following topics are covered: