So here's the thing. I am still working on my Win2012 RDS test project. We use self-signed certificates here, issued through a Linux VM running openssl. That's been working fine for years; IIS requests a cert; I issue it; import it into IIS; everybody is happy. (I'm alread imported my Linux CA root certificate, so all my self-issued certs are trusted).
BUT: my Win2012 RDS servers don't like the cert I am issuing, when I try to use it in RDS deployment (IIS on Win2012 has no problems with it; I get https traffic to my Win2012 IIS just fine). When I try to point to the existing certificate during RDS deployment, it tells me: "The specified certificate is not valid. The certificate properties must match the requirements of the role service." Much digging tells me that: ---------- Certificates for RD Gateway must meet these requirements: The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1). ---------- I think I have figured it out - my Linux openssl needs a "extendedKeyUsage=serverAuth" in it's config. But what do I do about the fact that I have already imported a certificate? The cert is valid, just not valid for RDS purposes. Do I need to revoke the current cert somehow? Make a new request; sign it with the new extension properties; re-import it? I'm not sure how to deal with the current cert, so I can remove it and use a new one with new extension properties.
