Letsencrypt wildcart certificte on Windows server

Hi All,

I have to generate letsencrypt wildcart certificate for one of our RD Gateway server (windows server). I have used ACMESharp 0.9.1.326. I have run below commands successfully

  1. Save-Module -Name ACMESharp -Path 'C:\Program Files\WindowsPowerShell\Modules'
  2. Install-Module -Name ACMESharp
  3. Import-Module ACMESharp
  4. Initialize-ACMEVault
  5. New-ACMERegistration -Contacts mailto:somebody@example.org -AcceptTos

My domain is: *.abc-dc.com (can not share the client domain)

I ran this command: New-ACMEIdentifier -Dns ‘*.abc-dc’ -Alias dns1

It produced this output: New-ACMEIdentifier : Error creating new authz :: Wildcard names not supported
At line:1 char:1

  • New-ACMEIdentifier -Dns ‘*.abc-dc.com’ -Alias dns1
  •   + CategoryInfo          : InvalidData: (ACMESharp.Vault.Model.IdentifierInfo:IdentifierInfo) [New-ACMEIdentifier],
      AcmeWebException
      + FullyQualifiedErrorId : urn:acme:error:malformed (400),ACMESharp.POSH.NewIdentifier
    
    

My web server is (include version):

The operating system my web server runs on is (include version): Windows server 2016 (aws instance)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NA

Well, the error message says it all, not?

ACMESharp doesn't support ACME v2 and thus, doesn't support wildcard certificates.

Posh-ACME supports ACMEv2 and wildcard certs and includes a number of DNS plugins for common providers.

2 Likes

getting error while running “New-PACertificate ‘*.abc-dc.com’ -DnsPlugin Route53 -PluginArgs $r53Params”

I have successfully run following commands:

  1. Save-Module -Name Posh-ACME -Path ‘C:\Program Files\WindowsPowerShell\Modules’
  2. Install-Module -Name Posh-ACME
  3. Set-AWSCredential -StoreAs ‘certbot-testuser’ -AccessKey ‘XXXXXXXXXXX’ -SecretKey ‘XXXXXXXXXX’
  4. Initialize-AWSDefaultConfiguration -ProfileName ‘certbot-user’
  5. $r53Params = @{R53ProfileName=‘certbot-user’}

Below is the error message while running the final command " New-PACertificate ‘*.abc-dc.com’ -DnsPlugin Route53 -PluginArgs $r53Params"

New-Object : Cannot find type [Org.BouncyCastle.Security.SecureRandom]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:38 char:20

  •     $sRandom = New-Object Org.BouncyCastle.Security.SecureRandom
    
  •                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Cannot find type [Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:65 char:23

  • … $rsaGen = New-Object Org.BouncyCastle.Crypto.Generators.RsaKeyPairG …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Cannot find type [Org.BouncyCastle.Crypto.KeyGenerationParameters]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:66 char:25

  • … $genParam = New-Object Org.BouncyCastle.Crypto.KeyGenerationParameter …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:67 char:13

  •         $rsaGen.Init($genParam)
    
  •         ~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (:slight_smile: [], RuntimeException
    • FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:68 char:13

  •         $keyPair = $rsaGen.GenerateKeyPair()
    
  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (:slight_smile: [], RuntimeException
    • FullyQualifiedErrorId : InvokeMethodOnNull

Export-Pem : Cannot bind argument to parameter ‘InputObject’ because it is null.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:73 char:20

  •     Export-Pem $keyPair $keyFile
    
  •                ~~~~~~~~
    
    • CategoryInfo : InvalidData: (:slight_smile: [Export-Pem], ParameterBindingValidationException
    • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Export-Pem

New-Object : Cannot find type [Org.BouncyCastle.Asn1.X509.X509Name]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:80 char:16

  • … $subject = New-Object Org.BouncyCastle.Asn1.X509.X509Name("CN=$($Ord …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Cannot find type [Collections.Generic.Dictionary[Org.BouncyCastle.Asn1.DerObjectIdentifier,Org.BouncyCastle.Asn1.X509.X509Extension]]: verify that the assembly containing this
type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:83 char:16

  • … $extDict = New-Object 'Collections.Generic.Dictionary[Org.BouncyCast …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Cannot find type [Org.BouncyCastle.Asn1.X509.BasicConstraints]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:86 char:134

  • … OctetString(New-Object Org.BouncyCastle.Asn1.X509.BasicConstraints($f …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Unable to find type [Org.BouncyCastle.Asn1.X509.KeyUsage].
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:87 char:172

  • … stle.Asn1.X509.KeyUsage([Org.BouncyCastle.Asn1.X509.KeyUsage]::Digita …
  •                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (Org.BouncyCastle.Asn1.X509.KeyUsage:TypeName) [], RuntimeException
    • FullyQualifiedErrorId : TypeNotFound

Unable to find type [Org.BouncyCastle.Asn1.X509.KeyPurposeID].
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:88 char:184

  • … 09.ExtendedKeyUsage([Org.BouncyCastle.Asn1.X509.KeyPurposeID]::IdKPSe …
  •                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (Org.BouncyCastle.Asn1.X509.KeyPurposeID:TypeName) [], RuntimeException
    • FullyQualifiedErrorId : TypeNotFound

Unable to find type [Org.BouncyCastle.Asn1.X509.GeneralName].
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:91 char:98

  • … sn1.X509.GeneralName([Org.BouncyCastle.Asn1.X509.GeneralName]::DnsNam …
  •                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (Org.BouncyCastle.Asn1.X509.GeneralName:TypeName) [], RuntimeException
    • FullyQualifiedErrorId : TypeNotFound

New-Object : Cannot find type [Org.BouncyCastle.Asn1.X509.GeneralNames]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:92 char:122

  • … OctetString(New-Object Org.BouncyCastle.Asn1.X509.GeneralNames(@(,$ge …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Cannot find type [Org.BouncyCastle.X509.Extension.SubjectKeyIdentifierStructure]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:93 char:121

  • … OctetString(New-Object Org.BouncyCastle.X509.Extension.SubjectKeyIden …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Unable to find type [Org.BouncyCastle.Asn1.X509.X509Extensions].
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:96 char:18

  • $extDict.Add([Org.BouncyCastle.Asn1.X509.X509Extensions]::BasicCo ...
    
  •              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (Org.BouncyCastl…X509Extensions:TypeName) [], RuntimeException
    • FullyQualifiedErrorId : TypeNotFound

Unable to find type [Org.BouncyCastle.Asn1.X509.X509Extensions].
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:97 char:18

  • $extDict.Add([Org.BouncyCastle.Asn1.X509.X509Extensions]::KeyUsag ...
    
  •              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (Org.BouncyCastl…X509Extensions:TypeName) [], RuntimeException
    • FullyQualifiedErrorId : TypeNotFound

Unable to find type [Org.BouncyCastle.Asn1.X509.X509Extensions].
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:98 char:18

  • $extDict.Add([Org.BouncyCastle.Asn1.X509.X509Extensions]::Extende ...
    
  •              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (Org.BouncyCastl…X509Extensions:TypeName) [], RuntimeException
    • FullyQualifiedErrorId : TypeNotFound

Unable to find type [Org.BouncyCastle.Asn1.X509.X509Extensions].
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:99 char:18

  • $extDict.Add([Org.BouncyCastle.Asn1.X509.X509Extensions]::Subject ...
    
  •              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (Org.BouncyCastl…X509Extensions:TypeName) [], RuntimeException
    • FullyQualifiedErrorId : TypeNotFound

Unable to find type [Org.BouncyCastle.Asn1.X509.X509Extensions].
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:100 char:18

  • $extDict.Add([Org.BouncyCastle.Asn1.X509.X509Extensions]::Subject ...
    
  •              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (Org.BouncyCastl…X509Extensions:TypeName) [], RuntimeException
    • FullyQualifiedErrorId : TypeNotFound

New-Object : Cannot find type [Org.BouncyCastle.Asn1.X509.X509Extensions]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:110 char:19

  • … xtensions = New-Object Org.BouncyCastle.Asn1.X509.X509Extensions($ext …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Unable to find type [Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers].
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:111 char:110

  • … tributePkcs([Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers]::Pkcs9 …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (Org.BouncyCastl…jectIdentifiers:TypeName) [], RuntimeException
    • FullyQualifiedErrorId : TypeNotFound

New-Object : Cannot find type [Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:114 char:12

  • $req = New-Object Org.BouncyCastle.Pkcs.Pkcs10CertificationReques ...
    
  •        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidType: (:slight_smile: [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Export-Pem : Cannot bind argument to parameter ‘InputObject’ because it is null.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:117 char:16

  • Export-Pem $req $reqFile
    
  •            ~~~~
    
    • CategoryInfo : InvalidData: (:slight_smile: [Export-Pem], ParameterBindingValidationException
    • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Export-Pem

You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\New-Csr.ps1:120 char:12

  • return (ConvertTo-Base64Url $req.GetEncoded())
    
  •        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidOperation: (:slight_smile: [], RuntimeException
    • FullyQualifiedErrorId : InvokeMethodOnNull

Error parsing certificate request: asn1: syntax error: sequence truncated
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\2.7.0\Private\Invoke-ACME.ps1:135 char:9

  •     throw [AcmeException]::new($acmeError.detail,$acmeError)
    
  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : OperationStopped: (:slight_smile: [], AcmeException
    • FullyQualifiedErrorId : Error parsing certificate request: asn1: syntax error: sequence truncated

The problem is that the module can’t load the BouncyCastle crypto library that it depends on. 99% of the time, the reason is that your .NET Framework version isn’t high enough. The Posh-ACME 2.7 version that you’re running should have thrown a warning about the .NET version the first time you ran a command (which was most likely the New-PACertificate command).

Can you open a new powershell session and run Import-Module Posh-ACME to verify? Bottom line, the module requires .NET 4.7.1 or higher. And if you don’t have that, the warning on import should say what version was detected if it’s not high enough.

you are absolutely correct. I got this message

WARNING: **********************************************************************
WARNING: Insufficient .NET version. Found .NET 4.7 (build 460805).
WARNING: .NET 4.7.1 or later is required to ensure proper functionality.
WARNING: **********************************************************************

So upgrading the .NET framework will fix this issue ?

That is correct. Close any open PowerShell sessions, install 4.7.1 (or 4.7.2 which is the latest at the moment), and you should be good to go.

You are amazing… I successfully installed wildcard certificate.

Do you have any powershell script to automate this installation and renewing the certificate ?

There’s a -Install flag you can use with New-PACertificate that will attempt to import the completed cert into the Windows certificate store for the local computer account (which is generally where it needs to go when using a cert with various Windows services). You must elevate (run as admin) your PowerShell session for it to work though. If you forgot to include it in your first run, just re-run the same New-PACertificate command again with -Install. You may need to include -Force as well ignore the renewal Window check for that call.

Renewals are usually handled by running Submit-Renewal as a scheduled task once or twice a day (pick a random time to ease the load on Let’s Encrypt). It won’t actually renew the each time it is called. It will check if it has reached the appropriate renewal window (roughly 30 days before expiration) and then renew. If you have more than one cert on the box, you should add the primary domain as an argument so it knows which one to renew. Make sure your scheduled task has “Run with elevated privileges” turned on if you’re using the -Install flag.

The only thing the module doesn’t really handle on its own right now is interacting with things like IIS, SQL, RDS, etc. to point them at the new cert. I have a sister module (still in early dev) called Posh-ACME.Deploy that takes a stab at automating that sort of stuff. For example, it has an IIS function that you might use like this in your scheduled task.

Submit-Renewal example.com | Set-IISCertificate -SiteName "My IIS Site" -RemoveOldCert

This will attempt to bind the new cert to the “My IIS Site” in IIS and then remove the old cert from the Windows cert store. There are additional optional parameters for things like port, IP binding, host headers, and SNI. The module is not in the PS Gallery yet. But you can install it straight from GitHub for the time being (check the readme for details).

Thank you @rmbolger :slight_smile:

After installing " New-PACertificate ‘*.abc.dc.com’ -AcceptTOS -Contact XXX@example.com -DnsPlugin Route53 -PluginArgs $r53Params -Install -Force" ; i can see my certificate available to import in RD Gateway from loca computer/personal store. Is there any cmdlets which can automate this importing process as i do not have to bind this certificate to any IIS or website. I just want to import thii newly generated certificate to get automatically imported to RD gateway manager.

Thank you very much in advanced.

The Posh-ACME.Deploy module I linked earlier has a function for RD Gateway as well. You’d use it like this:

Submit-Renewal example.com | Set-RDGWCertificate -RemoveOldCert

If you’ve already generated the cert and don’t want to force a renewal, you can test out the deployment function like this.

Get-PACertificate example.com | Set-RDGWCertificate -RemoveOldCert

@rmbolger

Rest all steps are same for Posh-ACME.Deploy module as POSH-ACME; or any other set of commands ?

I have saved your Posh-ACME.Deploy module in ‘C:\Program Files\WindowsPowerShell\Modules’ but unable to save or install module. Could you please help with the steps as well so i can test this module :slight_smile:

Thanks again in Advanced…!!

Also when i tried importing existing certificate manually in RD Gateway Manager; it asked me for password…which i was not aware of…

It’s probably easier to install Posh-ACME.Deploy using the instructions from the readme since I haven’t released it to the PowerShell Gallery yet.

iex (invoke-restmethod https://raw.githubusercontent.com/rmbolger/Posh-ACME.Deploy/master/instdev.ps1)

The default PFX password is poshacme unless you set it to something else using the -PfxPass parameter when you requested the cert originally. But if you’re using the functions in Posh-ACME.Deploy, you won’t need to know it because it’s passed automatically via the pipeline as a SecureString object.

When i gave manual command; i got following :slight_smile:

PS C:\Users\Administrator> Set-RDCertificate -Role RDGateway -ConnectionBroker “EC2AMAZ-VGEGMBI” -ImportPath “C:\Users\Administrator\Downloads\cert.pfx” -Password $Password
Set-RDCertificate : Deployment does not contain an RD Gateway server.
At line:1 char:2

  • Set-RDCertificate -Role RDGateway -ConnectionBroker "EC2AMAZ-VGEGMBI …
  •  + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
     + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-RDCertificate

Set-RDCertificate is the native function from the RemoteDesktop module and requires you to have done a full RD “deployment” first. Set-RDGWCertificate is the function from Posh-ACME.Deploy. Similar, but different. Use the module one like I showed earlier.

Not able to work with Posh.ACME.Deploy module. I run following command successfully ;

  1. iex (invoke-restmethod https://raw.githubusercontent.com/rmbolger/Posh-ACME.Deploy/master/instdev.ps1)

It executed successfully and installed all 3 modules for installing certificate for IIS, RD Gateway. When i am running Set-RDGWCertificate command; it is not throwing any error and executed but there is no certificate installed or created.

Please help with the installation. You have help me all the way and now this is the last step to importing certificate. Thank in advanced @rmbolger

Did you run it like I mentioned earlier? You might want to add the -Verbose flag to see some output as well.

Get-PACertificate example.com | Set-RDGWCertificate -RemoveOldCert -Verbose

Ryan

@rmbolger please see the below command and output

command : $currentCert = Get-RDCertificate -Role RDGateway

Output : Get-RDCertificate : A Remote Desktop Services deployment does not exist on EC2AMAZ-C52RRJS. This operation can be
performed after creating a deployment. For information about creating a deployment, run “Get-Help
New-RDVirtualDesktopDeployment” or “Get-Help New-RDSessionDeployment”.
At line:1 char:16

  • $currentCert = Get-RDCertificate -Role RDGateway
  •            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: [Write-Error], WriteErrorException
    • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-RDCertificate

I have installed all features except “Remote Desktop Virtulization Host” under Remote Desktop Services Role" in windows 2016. I have also installed “Remote Desktop Service Installation” on this server.

You’re using the wrong command again. Get-PACertificate is from Posh-ACME. Get-RDCertificate is from the built-in RemoteDesktop module which you don’t need and can’t currently use because you haven’t created a “Deployment” (which you also don’t need just to use RD Gateway). Installing the roles doesn’t create a deployment. If that’s what you actually want, you might need to do some additional reading on how to setup Remote Desktop services. It’s sort of beyond the scope of help I’m willing to give here.