Creating and deploying certificates for Microsoft Remote Desktop Services

Greetings to the well of knowledge…

I have ZERO experience in creating, installing, and managing certs. I have been reading a lot and I’m completely baffled.

My scenario: I created a Windows Server 2012R2 server farm consisting of an RD Broker and four RDP servers. The servers currently have self-signed certs that came with the server. Launching a remote desktop session give the user the usual certificate warning that the user just clicks through to get to the server session. I want to get away from the self-signed certs and get to a more secure environment.

We have an internal AD domain. Our remote users connect to our internal network using Cisco IPSec VPN (soon to be Cisco AnyConnect).

I have no idea where to even begin and would appreciate any guidance.

Regards,
Ken

1 Like

First just to clear up a potential misconception, self-signed certs aren't any less secure than public certs from a cryptography standpoint. It's all the same math assuming the same key sizes and algorithms. I would say what you're trying to reach is a more trusted environment or even a less inconvenient environment (not having to click through cert warnings).

Most organizations in your position would spin up an internal Certificate Authority (CA) which is effectively just another self-signed certificate that can be used to create additional certificates and in no way related to Let's Encrypt. Assuming you own/control all of the clients connecting to your service, you can install/push this CA certificate to their trusted roots store and then all of the certs you create from that CA are now trusted and no longer throw cert warnings (assuming the rest of the cert details are correct).

If you have users connecting from machines you don't control, it can be more difficult or even impossible to convince them to install and trust your CA certificate. This is because it allows you to potentially Man-In-The-Middle (MITM) any of their other HTTPS connections by creating certs they will trust for things you don't actually own.

In that case, you may consider using a public CA such as Let's Encrypt for your certs. Public CA's are already trusted by everyone (for varying degrees of everyone) and they will only allow you to get a cert for names you can prove that you own such as farm.mycompany.com.

Since you're here, one might assume you've already decided on the public CA option. But can you confirm?

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.