Remote desktop services

Creating CSRs For RDS 2012/2016 Farm Certificates Using a Template

Creating CSRs For RDS 2012/2016 Farm Certificates Using a Template

Remote Desktop Services (RDS) uses certificate to secure connections from the client all the way through to the remote session host.Creating the CSR is pretty easy, but the only gotcha is that you need to including SANS (subject alternative names) for all your servers in the farm. Microsoft recommends a wildcard cert, if you have over 5 servers. Some InfoSec teams have a heart attack if you ask for a wildcard cert though. I managed to get more than 5 servers working on a non-wildcard cert, but I’m not sure how this would affect the support status of that farm.

Also don’t forget to add the DNS alias for the farm, otherwise users will get prompted with cert errors when they try to connect.

  • Create a text file containing the below, this will be your template file. Change Key Length if you are not using 2048
[Version]
Signature="$Windows NT$"

[NewRequest]
Subject="CN=server001.domain.local,OU=IT,O=Company Name,L=Banbury,S=Northamptonshire,C=GB"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 12 
RequestType = PKCS10 
KeyUsage=0xa0

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=server001.domain.local&"
_continue_ = "dns=server001&"
_continue_ = "dns=server002.domain.local&"
_continue_ = "dns=server002&"
_continue_ = "dns=RDSFarmDnsAlias.domain.local&"
_continue_ = "dns=RDSFarmDnsAlias"
  • Copy the template file to an RDS server (I used the connection broker) and run this command from an elevated command prompt
Certreq -new -f <template file> <output file>
  • Submit your CSR (output File) to your CA and it will give you the cert you need