Renewing a cert in an RDS environment

[Mike Leone]

So I have an old Win 2012 RDS environment. We are literally planning on migrating to a Win 2022 RDS environment in a couple weeks or so (barring any unforeseen issues). I have that environment already set up, cert in place, just waiting for the licenses to arrive, and the production app to be installed on the new session hosts.

Problem is, the cert on my old environment is due to expire at the end of the month. And while I *expect* we'll have moved the users over to the new environment by then, you never know what might delay things. So I am planning on renewing that cart, Just In Case.

We run our own internal CA, so no worries there.Just so I have the steps down ...

I go to IIS on the Web Access host, create a new CSR, issue the cert, complete the process on the web host.

Then edit the deployment properties of my deployment (;-)), go down to the Certificates, and "Select existing certificate" for Connection Broker, and Web Access (one at a time), and use that cert.

That should be it, right?

The only thing is that the current cert is a domain wildcard cert (yeah, I know, I shouldn't be using it, but that's what we did, all those years ago ... 5 years, according to the cert). But that shouldn't matter. and besides, I push internal certs (CA, intermediate and this domain one) via GPO to all domain members, I just have to remember to push the new one.

Have I missed anything? Or misunderstood anything?

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Philip Elder]

Do you have the registry setting for the session hosts to cleanse all firewall rules when a user logs out? That problem has not gone away despite the “fixes” from Microsoft.

 

You can set up as there’s a 180 day grace period before the license server needs to be activated.

 

I suggest moving them.

 

We’d use IIS on a management server to run the CSR, reply seat, and export to .PFX and set a very long password to it.

 

You can then use the wizards in Server Manager on the Broker to set up RD Gateway, Signing, and so on.

 

Once the certificate is seated there you can delete the certificate and resulting .PFX file from the management server.

 

I prefer to not leave such artifacts on the Broker, even deleted, which is too close to UserVille for my comfort.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bj7OchSW5aj7pBEK_YxxWE6T_QDjaFGfnyrP8xqK618%2BQ%40mail.gmail.com.