Using certificates in Remote Desktop Services
- Article
- 08/31/2016
- 6 minutes to read
In this article
Remote Desktop Services uses certificates to sign the communication between two computers. When a client connects to a server, the identity of the server and the information from the client is validated using certificates.
Using certificates for authentication prevents possible man-in-the-middle attacks. When a communication channel is set up between the client and the server, the authority that generates the certificates vouches that the server is authentic. As long as the client trusts the server it is communicating with, the data being sent to and from the server is considered secure.
Certificates in Remote Desktop Services need to meet the following requirements:
The certificate is installed in the local computer’s “Personal” certificate store.
The certificate has a corresponding private key.
The Enhanced Key Usage extension has a value of either “Server Authentication” or “Remote Desktop Authentication” [1.3.6.1.4.1.311.54.1.2]. You can also use certificates with no Enhanced Key Usage extension.
Remote Desktop listener certificate configurations
- Article
- 12/09/2021
- 4 minutes to read
- 3 contributors
Is this page helpful?
Yes No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Submit
Thank you.
In this article
This article describes the methods to configure listener certificates on a Windows Server 2012-based or Windows Server 2012-based server that is not part of a Remote Desktop Services [RDS] deployment.
Applies to: Windows Server 2012 R2
Original KB number: 3042780
Generate a CSR Code for Remote Desktop Services
When applying for an SSL Certificate, you must generate a CSR code and submit it to the CA. The CSR includes contact details about your website or company. Depending on the version of your Remote Desktop Gateway Server, you can create the CSR in the same release of IIS. Microsoft IIS server comes pre-installed with every version of Windows.
For instance, if you use RDS 2016, you will generate your CSR in IIS 10 which is included in Windows Server 2016.
We’ve already written comprehensive guides on how to generate a CSR code on various IIS versions. Use the links below to find the relevant guide:
- How to Generate a CSR code in Microsoft IIS 7? [RDS 2008]
- How to Generate a CSR code in Microsoft IIS 8 & 8.5? [RDS 2012]
- How to Generate a CSR code in Microsoft IIS 10? [RDS 2016]
After you create your CSR and complete the SSL validation, the CA will send all the necessary certificate files to your inbox. You can now proceed to SSL installation.
How to install an SSL Certificate on Remote Desktop Services?
This step by step guide will show you how to install an SSL Certificate on Remote Desktop Services [RDS]. You will also learn a few interesting facts about RDS, and discover the best place to shop for any type of SSL Certificates. If you still haven’t generated your CSR [Certificate Signing Request] and passed the SSL authentication, refer to the CSR Generation tutorials in the first part of this guide.
How to Install an SSL Certificate on a Remote Desktop Gateway server
The following instructions will guide you through the SSL installation process on a Remote Desktop Gateway server. If you have more than one server or device, you will need to install the certificate on each server or device you need to secure. If you still have not generated your certificate and completed the validation process, reference our CSR Generation Instructions and disregard the steps below.
Certificate Template for RDS
- Right click on Certificate Template and Manage
- Highlight Computer and right click to select Duplicate Template
- Change the Template Name to RDS
- Select Extensions – Application Policies and remove all the existing Application policies
Click Add to include the following
- Name = Remote Desktop Authentication
- Object Identifier = 1.3.6.1.4.1.311.54.1.2
- Right click Certificate Template and select New – Certificate Template to Issue by selecting RDS Template
- Verify RDS is shown in Certificate Template