Share via


Obtaining a Certificate for the Remote Desktop Gateway Server

Updated: March 2, 2011

Applies To: Windows Server 2008 R2

This topic assumes an understanding of certificate trust chaining, certificate signing, and general public key infrastructure and certificate configuration principles. For information about PKI configuration in Windows Server 2008, see ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=93995). For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure (https://go.microsoft.com/fwlink/?LinkID=54917).

By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between Remote Desktop Services clients and RD Gateway servers over the Internet. TLS is a standard protocol that is used to provide secure Web communications on the Internet or intranets. TLS is the latest and most secure version of the Secure Sockets Layer (SSL) protocol. For more information about TLS, see:

For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the RD Gateway server.

Certificate installation and configuration process overview

The process of obtaining, installing, and configuring a certificate for the RD Gateway server involves these steps.

Step 1: Obtain a certificate for the Remote Desktop Gateway server

You can obtain a certificate for the RD Gateway server by using one of the following methods:

  • If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates that meet RD Gateway requirements, you can generate and submit a certificate request in several ways, depending on the policies and configuration of your organization's CA. Methods for obtaining a certificate include:

    • Initiating auto-enrollment from the Certificates snap-in.

    • Requesting certificates by using the Certificate Request Wizard.

    • Requesting a certificate over the Web.

Note

If you have a Windows Server 2003 CA, be aware that the Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX control is available in Microsoft Windows Server 2003, Windows 2000, and Windows XP. However, Xenroll has been deprecated in Windows Server 2008 and Windows Vista. The sample certificate enrollment Web pages that are included with the original release version of Windows Server 2003, Windows Server 2003 Service Pack 1 (SP1), and Windows Server 2003 Service Pack 2 (SP2) are not designed to handle the change in how Windows Server 2008 and Windows Vista perform Web-based certificate enrollment operations. For information about the steps that you can take to address this issue, see article 922706 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=94472).

  - Using the Certreq command-line tool.  
      
For more information about using any of these methods to obtain certificates for Windows Server 2008 R2, see the "Obtain a Certificate" topic in the Certificates snap-in Help and the "Certreq" topic in the Windows Server 2008 R2 Command Reference. To review the Certificates snap-in Help topics, click **Start**, click **Run**, type **hh certmgr.chm**, and then click **OK**. For information about how to request certificates for Windows Server 2003, see Requesting Certificates ([https://go.microsoft.com/fwlink/?LinkID=19638](https://go.microsoft.com/fwlink/?linkid=19638)).  
  
A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA that participates in the Microsoft Root Certification Program Members program ([https://go.microsoft.com/fwlink/?LinkID=59547](https://go.microsoft.com/fwlink/?linkid=59547)). Otherwise, users connecting from home computers or kiosks might not be able to connect to TS Gateway or RD Gateway servers. These connections might fail because the CA-issued root might not be trusted by computers that are not members of domains, such as home computers or kiosks.  
  
  • If your company does not maintain a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates, you can purchase a certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program (https://go.microsoft.com/fwlink/?LinkID=59547). Some of these public CAs might offer certificates at no cost on a trial basis.

  • Alternatively, if your company does not maintain a stand-alone or enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your RD Gateway server for technical evaluation and testing purposes. For more information, see Creating a Self-Signed Certificate for the Remote Desktop Gateway Server.

Important

If you use either of the first two methods to obtain a certificate (that is, if you obtain a certificate from a stand-alone or enterprise CA or a trusted public CA), you must also Importing a Certificate into the Remote Desktop Gateway Server and Selecting an Existing Certificate for Remote Desktop Gateway. However, if you create a self-signed certificate by using the Add Roles Wizard during installation of the Remote Desktop Gateway role service or by using Remote Desktop Gateway Manager after installation (as described in Creating a Self-Signed Certificate for the Remote Desktop Gateway Server), you do not need to install or map the certificate to the RD Gateway server. In this case, the certificate is automatically created, installed in the correct location on the RD Gateway server, and mapped to the RD Gateway server.

Note that Remote Desktop Services clients must have the certificate of the CA that issued the server certificate in their Trusted Root Certification Authorities store. For step-by-step instructions for installing the certificate on the client, see [Installing the Remote Desktop Gateway Server Root Certificate on the Remote Desktop Services Client](gg675313\(v=ws.10\).md).  
  
If you used one of the first two methods to obtain a certificate and the Remote Desktop Services client computer trusts the issuing CA, you do not need to install the certificate of the CA that issued the server certificate in the client computer certificate store. For example, you do not need to install the certificate of the issuing CA in the client computer certificate store if a VeriSign or other public, trusted CA certificate is installed on the RD Gateway server. If you use the third method to obtain a certificate (that is, if you create a self-signed certificate), you do need to install the certificate of the CA that issued the server certificate in the Trusted Root Certification Authorities store on the client computer. For more information, see [Installing the Remote Desktop Gateway Server Root Certificate on the Remote Desktop Services Client](gg675313\(v=ws.10\).md).  
  

Step 2: Import a certificate

After you obtain a certificate, you can import the certificate to the RD Gateway server by using one of the following methods: