Obtain a Certificate for the Remote Desktop Gateway Server

Applies To: Windows Server 2008 R2

This topic assumes an understanding of certificate trust chaining, certificate signing, and general public key infrastructure and certificate configuration principles. For information about PKI configuration in Windows Server 2008, see ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=93995). For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure (https://go.microsoft.com/fwlink/?LinkID=54917).

By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between Remote Desktop Services clients and RD Gateway servers over the Internet. TLS is a standard protocol that is used to provide secure Web communications on the Internet or intranets. TLS is the latest and most secure version of the Secure Sockets Layer (SSL) protocol. For more information about TLS, see:

• SSL/TLS in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkID=19646)

• RFC 2246, The TLS Protocol Version 1.0 (https://go.microsoft.com/fwlink/?LinkID=40979)

For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the RD Gateway server.

Certificate installation and configuration process overview

The process of obtaining, installing, and configuring a certificate for the RD Gateway server involves these steps.

Step 1: Obtain a certificate for the Remote Desktop Gateway server

You can obtain a certificate for the RD Gateway server by using one of the following methods:

• If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates that meet RD Gateway requirements, you can generate and submit a certificate request in several ways, depending on the policies and configuration of your organization's CA. Methods for obtaining a certificate include:

  • Initiating auto-enrollment from the Certificates snap-in.

  • Requesting certificates by using the Certificate Request Wizard.

  • Requesting a certificate over the Web.

  - Using the Certreq command-line tool.

For more information about using any of these methods to obtain certificates for Windows Server 2008 R2, see the "Obtain a Certificate" topic in the Certificates snap-in Help and the "Certreq" topic in the Windows Server 2008 R2 Command Reference. To review the Certificates snap-in Help topics, click **Start**, click **Run**, type **hh certmgr.chm**, and then click **OK**. For information about how to request certificates for Windows Server 2003, see Requesting Certificates ([https://go.microsoft.com/fwlink/?LinkID=19638](https://go.microsoft.com/fwlink/?linkid=19638)).

A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA that participates in the Microsoft Root Certification Program Members program ([https://go.microsoft.com/fwlink/?LinkID=59547](https://go.microsoft.com/fwlink/?linkid=59547)). Otherwise, users connecting from home computers or kiosks might not be able to connect to TS Gateway or RD Gateway servers. These connections might fail because the CA-issued root might not be trusted by computers that are not members of domains, such as home computers or kiosks.

• If your company does not maintain a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates, you can purchase a certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program (https://go.microsoft.com/fwlink/?LinkID=59547). Some of these public CAs might offer certificates at no cost on a trial basis.

• Alternatively, if your company does not maintain a stand-alone or enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your RD Gateway server for technical evaluation and testing purposes. For more information, see Create a Self-Signed Certificate for the Remote Desktop Gateway Server.

Note that Remote Desktop Services clients must have the certificate of the CA that issued the server certificate in their Trusted Root Certification Authorities store. For step-by-step instructions for installing the certificate on the client, see [Install the Remote Desktop Gateway Server Root Certificate on the Remote Desktop Services Client](cc754076\(v=ws.10\).md).

If you used one of the first two methods to obtain a certificate and the Remote Desktop Services client computer trusts the issuing CA, you do not need to install the certificate of the CA that issued the server certificate in the client computer certificate store. For example, you do not need to install the certificate of the issuing CA in the client computer certificate store if a VeriSign or other public, trusted CA certificate is installed on the RD Gateway server. If you use the third method to obtain a certificate (that is, if you create a self-signed certificate), you do need to install the certificate of the CA that issued the server certificate in the Trusted Root Certification Authorities store on the client computer. For more information, see [Install the Remote Desktop Gateway Server Root Certificate on the Remote Desktop Services Client](cc754076\(v=ws.10\).md).

Step 2: Import a certificate

After you obtain a certificate, you can import the certificate to the RD Gateway server by using one of the following methods:

• To install a certificate to the certificate store and import the certificate to the RD Gateway server, see Import a Certificate into Remote Desktop Gateway Server.

• To import an existing certificate from the certificate store to the RD Gateway server, see Select an Existing Certificate for Remote Desktop Gateway.

Additional references

• Configure a Certificate for the Remote Desktop Gateway Server