Remote Desktop Services (RDS) uses certificate to secure connections from the client all the way through to the remote session host.Creating the CSR is pretty easy, but the only gotcha is that you need to including SANS (subject alternative names) for all your servers in the farm. Microsoft recommends a wildcard cert, if you have over 5 servers. Some InfoSec teams have a heart attack if you ask for a wildcard cert though. I managed to get more than 5 servers working on a non-wildcard cert, but I’m not sure how this would affect the support status of that farm.
Also don’t forget to add the DNS alias for the farm, otherwise users will get prompted with cert errors when they try to connect.
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject="CN=server001.domain.local,OU=IT,O=Company Name,L=Banbury,S=Northamptonshire,C=GB"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage=0xa0
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=server001.domain.local&"
_continue_ = "dns=server001&"
_continue_ = "dns=server002.domain.local&"
_continue_ = "dns=server002&"
_continue_ = "dns=RDSFarmDnsAlias.domain.local&"
_continue_ = "dns=RDSFarmDnsAlias"
Certreq -new -f <template file> <output file>