Remote Desktop Services Migration Overview: Migrating Certificates
Updated: July 19, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
This topic provides a summary of the certificates used in each of the role services in Remote Desktop Services. It also provides a list of the Remote Desktop Services features that use certificates, and describes the general process for migrating certificates.
Typically, RD Session Host servers use auto-generated certificates for server authentication. If RD Session Host server certificates are auto-generated, you should record that information in the data worksheet; however, do not migrate the auto-generated certificate from the RD Session Host server. The destination RD Session Host server will auto-generate a new certificate. To gather the RD Session Host server certificate settings, see the procedure in RD Session Host Migration: Preparing to Migrate.
This guide does not cover the migration of RD Session Host server farms; however, these servers use an SSL certificate with a private key. If you plan to reuse your certificate, see the instructions in Preparing certificates for migration later in this topic to export the certificate.
The RDP files for virtual desktop connections can be digitally signed with certificates. To migrate certificates that are used for digitally signing RDP files for personal virtual desktops and virtual desktop pools, see RD Connection Broker Migration: Preparing to Migrate.
For more information, see About Digitally Signing Files for Virtual Desktop Connections (http://go.microsoft.com/fwlink/?LinkId=195063).
HTTPS connections to an RD Web Access server are secured with an SSL certificate in Web Server (IIS). To migrate the SSL certificate for RD Web Access servers, see RD Web Access Migration: Preparing to Migrate and RD Web Access Migration: Migrating the RD Web Access Role Service.
Although we do not migrate RemoteApp programs in this guide, certificates can be used to secure them. RemoteApp program certificates are located on the RD Session Host server. If you plan to reuse your certificates, you should export them from the RD Session Host source server before shutting it down.
For general instructions about migrating certificates with private keys, see Preparing certificates for migration.
|The private key must be included when migrating a certificate for digitally signing RDP files for RemoteApp programs.|
For more information about using certificates with RemoteApp programs, see the following:
An SSL-compatible X.509 certificate is required before RD Gateway can serve connections.
To configure certificates for RD Gateway, see RD Gateway Migration: Preparing to Migrate.
RD Virtualization Host servers do not require certificates, and as a result there are no migration steps for certificates for RD Virtualization Host servers.
Remote Desktop license servers do not require certificates, and as a result there are no migration steps for certificates for Remote Desktop license servers.
Although this migration guide does not describe how to migrate the deployment of Remote Desktop Services features, the following list of features that use certificates is included for reference. Each of the following features uses certificates in at least one role service:
Single sign-on (SSO) for RemoteApp and Desktop Connection
Web Single Sign-On (Web SSO)
HTTPS connections to RD Web Access
Digital signing of RDP files for personal virtual desktops and virtual desktop pools
Digital signing of RDP files for Remote App programs
RD Gateway connections to Remote Desktop Services
RD Session Host server connections in a farm configuration
In most cases, the migration of certificates for Remote Desktop Services requires you to export the certificate with the private key. After export, you should store the certificate in a safe location.
A certificate with a private key can be migrated by using the following steps:
To export the certificate to a PFX file, see Export a certificate with the private key (http://go.microsoft.com/fwlink/?LinkID=186422).
To import the certificate from a PFX file, see Import a certificate (http://go.microsoft.com/fwlink/?LinkId=188055).
After you have imported the certificate to the certificate store on the destination server, follow the instructions for configuring the certificate in the migration guide for the specific role service.
Remote Desktop Services Migration: Overview
Remote Desktop Services Migration Overview: Preparing to Migrate
Remote Desktop Services Migration Overview: Migrating Remote Desktop Services Role Services
Remote Desktop Services Migration Overview: Verifying the Migration
Remote Desktop Services Migration Overview: Post-Migration Tasks