SSL Certificate for Windows Remote Desktop Server

You will see the following error message when connecting to remote server via Remote Desktop (RDP) due to the Default Self Sign SSL Certificate is used for Remote Desktop Service

Steps to replace it with AD Enterprise Root CA

  1. Open Certificate Authority and right clock on Certificate Template to select Manage

  1. Highlight Computer and right click to select Duplicate Template

  1. Change the Template Name

Please provide a meaningful name as it will be used later in GPO

  1. Select Extensions – Application Policies and remove all the existing Application policies

  1. Click Add to add a new Application Policy with
  • Name : Remote Desktop Authentication
  • object identifier : 1.3.6.1.4.1.311.54.1.2
  1. Go back to Certification Authority and right click on Certificate Template to issue the new Certificate Template

  1. Open Group Policy Management and edit the Default Domain Policy to apply the Certificate Template to all servers in the AD Domain

  1. Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Server Authentication Certificate Template and enter the Template Name that you created

  1. Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections and change the Security Layer to SSL

  1. Run “gpupdate /force” and Restart Remote Desktop Services to force the GPO to be applied. You will see the RDS Authentication Certificate is installed successfully

You will NOT see the SSL Certificate error when you login to Remote Server with FQDN via Remote Desktop now

Leave a Comment