You are making this WAY too hard. Install certificate servicer on one of your windows servers. Make it a root CA for the domain. Use IIS management console and/or the "certificates" MMC to request and install certificates. Done.
Domain computers will automatically trust the root cert. From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Tuesday, October 29, 2013 1:51 PM To: [email protected] Subject: [NTSysADM] Win 2012 RDS and locally issued certificates - some observations So I've been working on my proof-of-concept RDS environment, to test running a specific application as RDS. Here's something I've found out about using self-issued certificates. (I have a Linux VM that I am using as a CA, so I can issue my own local certificates). Obviously, step one is to import the CA certificate as trusted root certificate authority to all machines in question. I plan on eventually doing this via GPO. If you are going to use your own self-issued certificates, the certificate used by RDS needs to have specific capabilities, for the different parts of RDS. --------- RDS: The RD Gateway server must be configured to use a valid SSL certificate http://technet.microsoft.com/en-us/library/dd320340(v=ws.10).aspx Certificates for RD Gateway must meet these requirements: The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1). --------- Windows Server 2012 RD Connection Broker Publishing development certificate http://social.technet.microsoft.com/Forums/windowsserver/en-US/b11e72fb-c3e2-4add-9a15-66b4cefeef83/windows-server-2012-rd-connection-broker-publishing-development-certificate Key Usage is Digital signature, Key Encipherment, Data Encipherment (b0). Enhanced Key Usage is serverAuthentication+Client Authentication. --------- So - in my case, I use openssl on Linux for my self-signed certs - I had to add these lines to my configuration: keyUsage=digitalSignature,keyEncipherment,dataEncipherment extendedKeyUsage=serverAuth,clientAuth (I put them in a special config file, and used that config specifically for this certificate, otherwise the signed cert wouldn't get all these options) The certificate request from IIS in Win2012 apparently requests these properties. So your CA needs to be configured to honor these requested capabilities. I made a wildcard request (hostname was *.mydomain.com<http://mydomain.com>, so I could use it for any session host/web access host). Then, when I signed the request, the signed certificate then had these properties: (there's an openssl command to show the properties of a cert, from the command line) X509v3 extensions: X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication This was the cert I imported into IIS. I then exported that cert (which makes it a *.PFX file, which is what RDS wants; the cert I usually return is not a PFX format, which has both public and private key in it). Then when I import that cert for use in RDS deployment, it accepts it. You then have to make it trusted, which is a separate step, and involves a WMIC command. See the link at the bottom of the email. Then, when I run a published RemoteApp, I am not prompted that this is an untrusted application. I do tell it to not prompt me in future, and from then on, I can run any RemoteApp seamlessly, no prompting for untrusted certificates, untrusted publisher (which is a separate thing), etc. This is a great site, all about RDS deployment, In fact, it goes into much more complicated configs than I have. RDS 2012 Deployment and Configuration Guides http://ryanmangansitblog.wordpress.com/2013/09/27/rds-2012-deployment-and-configuration-guides/ See especially step #8, especially the part about making the successfully imported cert "Trusted": http://ryanmangansitblog.wordpress.com/2013/03/10/configuring-rds-2012-certificates-and-sso/ Just some FYI about Win2012 RDS, that I found out. Hope it helps.
