On Tue, Oct 29, 2013 at 2:26 PM, Ken Cornetet <[email protected]>wrote:
> You are making this WAY too hard. Install certificate servicer on one of > your windows servers. Make it a root CA for the domain. Use IIS management > console and/or the “certificates” MMC to request and install certificates. > Done. > Nope, don't want a Windows server as a CA. I have CA that has been working for years. Note that I am NOT speaking about installing certs for IIS. Been doing that for years, and it's always worked. The problem was that the certificate I was issuing for IIS could NOT be brought into the "Deployment Options" for RDS; the error was "the specified certificate is not valid. The certificate properties must match the requirements of the role service."". > **** > > ** ** > > Domain computers will automatically trust the root cert. > Trusting the root cert is not the issue. I had that done first. The problem was that the IIS certificates were not valid for RDS deployment. > **** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Michael Leone > *Sent:* Tuesday, October 29, 2013 1:51 PM > *To:* [email protected] > *Subject:* [NTSysADM] Win 2012 RDS and locally issued certificates - some > observations**** > > ** ** > > So I've been working on my proof-of-concept RDS environment, to test > running a specific application as RDS. Here's something I've found out > about using self-issued certificates. (I have a Linux VM that I am using as > a CA, so I can issue my own local certificates). > > Obviously, step one is to import the CA certificate as trusted root > certificate authority to all machines in question. I plan on eventually > doing this via GPO. > > If you are going to use your own self-issued certificates, the certificate > used by RDS needs to have specific capabilities, for the different parts of > RDS. > > --------- > > RDS: The RD Gateway server must be configured to use a valid SSL > certificate**** > > > http://technet.microsoft.com/en-us/library/dd320340(v=ws.10).aspx > > Certificates for RD Gateway must meet these requirements: > The intended purpose of the certificate is server authentication. The > Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1). > > --------- > > Windows Server 2012 RD Connection Broker Publishing development certificate > **** > > > > http://social.technet.microsoft.com/Forums/windowsserver/en-US/b11e72fb-c3e2-4add-9a15-66b4cefeef83/windows-server-2012-rd-connection-broker-publishing-development-certificate > **** > > > Key Usage is Digital signature, Key Encipherment, Data Encipherment (b0). > Enhanced Key Usage is serverAuthentication+Client Authentication. > > --------- > > So - in my case, I use openssl on Linux for my self-signed certs - I had > to add these lines to my configuration: > > keyUsage=digitalSignature,keyEncipherment,dataEncipherment > extendedKeyUsage=serverAuth,clientAuth > > (I put them in a special config file, and used that config specifically > for this certificate, otherwise the signed cert wouldn't get all these > options) > > The certificate request from IIS in Win2012 apparently requests these > properties. So your CA needs to be configured to honor these requested > capabilities. I made a wildcard request (hostname was *.mydomain.com, so > I could use it for any session host/web access host).**** > > ** ** > > Then, when I signed the request, the signed certificate then had these > properties: (there's an openssl command to show the properties of a cert, > from the command line) > > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Key Encipherment, Data Encipherment > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication > > This was the cert I imported into IIS. I then exported that cert (which > makes it a *.PFX file, which is what RDS wants; the cert I usually return > is not a PFX format, which has both public and private key in it). Then > when I import that cert for use in RDS deployment, it accepts it.**** > > ** ** > > You then have to make it trusted, which is a separate step, and involves a > WMIC command. See the link at the bottom of the email. > > Then, when I run a published RemoteApp, I am not prompted that this is an > untrusted application. I do tell it to not prompt me in future, and from > then on, I can run any RemoteApp seamlessly, no prompting for untrusted > certificates, untrusted publisher (which is a separate thing), etc.**** > > ** ** > > > This is a great site, all about RDS deployment, In fact, it goes into much > more complicated configs than I have. > > RDS 2012 Deployment and Configuration Guides > > http://ryanmangansitblog.wordpress.com/2013/09/27/rds-2012-deployment-and-configuration-guides/ > > See especially step #8, especially the part about making the successfully > imported cert "Trusted": > > > http://ryanmangansitblog.wordpress.com/2013/03/10/configuring-rds-2012-certificates-and-sso/ > **** > > ** ** > > Just some FYI about Win2012 RDS, that I found out. Hope it helps.**** > > ** ** >
