Obtain a Certificate for the TS Gateway Server

  • Article

Applies To: Windows Server 2008

This section assumes an understanding of certificate trust chaining, certificate signing, and general certificate configuration principles.

For information about public key infrastructure (PKI) configuration in Windows Server 2008, see ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=93995).

For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure (https://go.microsoft.com/fwlink/?LinkID=54917).

By default TLS 1.0 is used to encrypt communications between Terminal Services clients and TS Gateway servers over the Internet. TLS is a standard protocol that helps to secure Web communications on the Internet or intranets. TLS is the latest and most secure version of the SSL protocol. For more information about TLS, see:

For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the TS Gateway server.

Certificate requirements for TS Gateway

Certificates for TS Gateway must meet the following requirements:

  • The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the TS Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.

Note

If you are using the SAN attributes of certificates, clients that connect to the TS Gateway server must be running Remote Desktop Connection (RDC) 6.1. (RDC 6.1 [6.0.6001] supports Remote Desktop Protocol 6.1.). RDC 6.1 is included with Windows Server 2008, Windows Vista SP1, and Windows XP SP3.

  • The certificate is a computer certificate.

  • The intended purpose of the certificate is server authentication. The enhanced key usage is Server Authentication (1.3.6.1.5.5.7.3.1).

  • The certificate has a corresponding private key.

  • The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.

  • A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE.

    For more information about these values, see Advanced Certificate Enrollment and Management (https://go.microsoft.com/fwlink/?LinkID=74577).

  • The certificate must be trusted on clients. That is, the public certificate of the CA that signed the TS Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.

Using existing certificates

If you already have a certificate, you can reuse it for the TS Gateway server if the certificate:

If the certificate is not trusted by the Microsoft Root Certificate Program Members program (for example, if you create and install a self-signed certificate on the TS Gateway server and you do not manually configure the certificate to trust the Terminal Services client computer), a warning appears when the client attempts to connect through the TS Gateway server, stating that you do not have a trusted certificate and the connection will not succeed. To prevent this error from occurring, install the certificate onto the computer certificate store on the client computer before the client attempts to connect through the TS Gateway server.

Certificate installation and configuration process overview

The process of obtaining, installing, and configuring a certificate for the TS Gateway server involves the following steps.

1. Obtain a certificate

Obtain a certificate for the TS Gateway server by doing one of the following:

  • If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates that meet TS Gateway requirements, you can generate and submit a certificate request in several ways, depending on the policies and configuration of your organization's CA. Methods for obtaining a certificate include:

    • Initiating auto-enrollment from the Certificates snap-in.

    • Requesting certificates by using the Certificate Request Wizard.

    • Requesting a certificate over the Web.

Note

If you have a Windows Server 2003 CA, be aware that the Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX® control that is named Xenroll. This ActiveX control is available in Microsoft Windows 2000, Windows Server 2003, and Windows XP.
However, Xenroll has been deprecated in Windows Server 2008 and Windows Vista. The sample certificate enrollment Web pages that are included with the original release version of Windows Server 2003, Windows Server 2003 Service Pack 1 (SP1), and Windows Server 2003 Service Pack 2 (SP2) are not designed to handle the change in how Windows Server 2008 and Windows Vista perform Web-based certificate enrollment operations.
For information about the steps that you can take to address this issue, see article 922706 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=94472). 

  - Using the Certreq command-line tool.  
      
For more information about using any of these methods to obtain certificates for Windows Server 2008, see the "Obtain a Certificate" topic in the Certificates snap-in Help and the "Certreq" topic in the Windows Server 2008 Command Reference. To review the Certificates snap-in Help topics, click **Start**, click **Run**, type **hh certmgr.chm**, and then click **OK**. For information about how to request certificates for Windows Server 2003, see [Requesting Certificates](https://go.microsoft.com/fwlink/?linkid=19638) (https://go.microsoft.com/fwlink/?LinkID=19638).  
  
A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA that participates in the [Microsoft Root Certification Program Members program](https://go.microsoft.com/fwlink/?linkid=59547) (https://go.microsoft.com/fwlink/?LinkID=59547). Otherwise, users connecting from home computers or kiosks might not be able to connect to TS Gateway servers. These connections might fail because the enterprise CA-issued root might not be trusted by computers that are not members of domains, such as home computers or kiosks.

  • If your company does not maintain a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates, you can purchase a certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program (https://go.microsoft.com/fwlink/?LinkID=59547). Some of these vendors might offer certificates at no cost on a trial basis.

  • Alternatively, if your company does not maintain a stand-alone or enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TS Gateway server for technical evaluation and testing purposes. For step-by-step instructions, see Create a Self-Signed Certificate for the TS Gateway Server.

    In the example configurations described in this guide, a self-signed certificate is used.

Important

If you use either of the first two methods to obtain a certificate (that is, if you obtain a certificate from a stand-alone or enterprise CA or a trusted public CA), you must also install the certificate on the TS Gateway server and map the certificate. However, if you create a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service or by using TS Gateway Manager after installation (as described in Create a Self-Signed Certificate for the TS Gateway Server), you do not need to install or map the certificate to the TS Gateway server. In this case, the certificate is automatically created, installed in the correct location on the TS Gateway server, and mapped to the TS Gateway server.

Note

Terminal Services clients must have the certificate of the CA that issued the server certificate in their Trusted Root Certification Authorities store. Therefore, if you create a self-signed certificate by following the procedure in this guide, you must copy the certificate to the client computer (or to a network share that can be accessed from the client computer) and then install the certificate in the Trusted Root Certification Authorities store on the client computer. For step-by-step instructions, see Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional).

If you use one of the first two methods to obtain a certificate and the Terminal Services client computer trusts the issuing CA, you do not need to install the certificate of the CA that issued the server certificate in the client computer certificate store. For example, you do not need to install the certificate of the issuing CA in the client computer certificate store if a VeriSign or other public, trusted CA certificate is installed on the TS Gateway server.

If you use the third method to obtain a certificate (that is, if you create a self-signed certificate), you do need to copy the certificate of the CA that issued the server certificate to the client computer. Then, you must install that certificate in the Trusted Root Certification Authorities store on the client computer. For more information, see Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional).

2. Install the certificate

Install a Certificate on the TS Gateway Server. Use this procedure, described later in this guide, to install the certificate on your TS Gateway server.

3. Map the certificate

Map the TS Gateway Certificate. This procedure, described later in this guide, allows you to specify that the existing certificate be used by the TS Gateway server.