How to renew certificate for RDP on SBS 2011

ssl-certificate rdp windows-sbs-2011 windows-sbs
10,075

Solution 1

The correct way to renew or add certificates (whether self-signed or signed by a public CA) in Windows Small Business Server is to use the Windows SBS Console's "Fix my network" wizard. The wizard does two things:

  • If you're using a self-signed certificate that's expired, it renews it
  • It correctly (re-)installs the existing certificate in the various services on the server that use the certificate, such as Exchange, Remote Web Access, Remote Desktop Session Broker, etc. You should never install the certificates in these services manually on an SBS server.

Run the Fix my network wizard to fix the certificate as follows:

  1. Start the Windows SBS Console
  2. Click the Network icon at the top, then click the Connectivity tab
  3. In the right-pane, click Fix my network
  4. If multiple issues are detected, you need to fix the one named Self-issued certified is expired

Now, in your case since you have already manually renewed the certificate, the wizard may not find an expired certificate to fix. If so, re-install the already-renewed certificate through the SBS console as follows:

  1. Start the Windows SBS Console
  2. Click the Network icon at the top, then click the Connectivity tab
  3. In the right-pane, click Add a trusted certificate
  4. When the wizard starts, click Next
  5. At the Get the certificate screen select I want to use a certificate that is already installed on the server then click Next
  6. Select the correct certificate from the list then click Next
  7. The wizard will install the certificate. click Finish when done.

How I expect this to solve your problem

Based on your comment, all of the machines using RDP on the server are domain-joined. Therefore, they should all trust the certificate installed by the SBS Console. Only non-domain workstations need additional action performed in order to trust a self-signed certificate in use by the SBS server, namely using the provided certificate install package to configure the non-domain machine to add the certificate to its Trusted Root Certificates store.

Solution 2

To get a properly trusted certificate, you need to do one of two things.

  1. Get a public cert from a paid provider, or from the LetsEncrypt project
  2. Create a CA for internal use

Let's Encrypt is a great project, but would require HTTP from the internet open to your server to verify domain ownership.

Creating an internal CA can be done via adding the "Active Directory Certificate Services" role to a server. It is not typically reccomended to install a CA on a domain controller, but in a SBS that is what everything is based around.

https://technet.microsoft.com/en-us/library/cc731183(v=ws.11).aspx

The third way to fix this as a one off, single server fix, is to generate a self-signed certificate with the proper name to match. Then you would need to pull a copy of the cert, and put it in the trusted root certification authorities for every computer that is making a connection. This can be done via GPO if needed.

Share:
10,075

Related videos on Youtube

Carlos
Author by

Carlos

Updated on September 18, 2022

Comments

  • Carlos
    Carlos almost 2 years

    Probably I am doing the wrong procedure (I am not an expert in Windows Servers).

    Our server was using a 128 SHA1 self-signed certificate for RDP on SBS 2011. The certificate has expired. I proceeded to create a new certificate from IIS 7 Server Certificate selecting the option "Create Self-Signed Certificate".

    Then I went to Remote Desktop Session Host Configuration and then right-click on RDP-Tcp, then I selected the generated certificate from RDP-Tcp properties.

    After Apply and test again the RDP, I am getting a warning that says "this ca root certificate is not trusted. to enable trust..."

    Even though I can establish the RDP, the complaint is there.

    How can I fix it?

    • I say Reinstate Monica
      I say Reinstate Monica about 7 years
      1) Do you get this warning when connecting from machines that are joined to the SBS domain? 2) Do you access RDP from machines not connected to the domain?
    • Carlos
      Carlos about 7 years
      Machines are connected to same domain, the problem is the self-signed certificate. It has to be setup correctly.
    • Joshua Keller
      Joshua Keller over 4 years
      If the certificate has expired like the man said, the fix my network wizard will not work. It does not renew the certificate. How do I know this, our certificate expired today, I just ran the fix my network wizard and the SBS is saying it can't be 'renewed' because it's expired :).
  • Carlos
    Carlos about 7 years
    It has to be a internal CA certificate since RDP is intranet based. Can you provide procedure for this setup?
  • Cory Knutson
    Cory Knutson about 7 years
    I edited my answer to include some basic documentation.
  • Danila Ladner
    Danila Ladner about 7 years
    So what that it's internal CA certificate, still can be signed by trusted provider, then browsers or rdp clients won't complain.
  • Carlos
    Carlos about 7 years
    Thanks Cory for your update, but It seems that the URL applies only to Windows 2008, I tried to follow-up on my SBS 2011. Do you have one that works with SBS 2011?
  • Cory Knutson
    Cory Knutson about 7 years
    Public CAs shut off issuing Certs for .local domains, but that was not in your question. Is that what your domain is using? I will check around on CA support for SBS 2011, but it should be the same as 2008. Did you check the Add roles and features for the role mentioned in the guide?
  • Jacob Evans
    Jacob Evans about 7 years
    Rule #2 of SBS, always use the wizard (Rule #1 was to run anything else)
  • Carlos
    Carlos about 7 years
    Thanks Twisty, I am following your steps, and I am in the point of 5. At the Get the certificate screen select.... But, I see 2 options: "I want to renew my current trusted certificate with the same provider." === and the 2nd options says "I want to replace the existing certificate with a new one".
  • I say Reinstate Monica
    I say Reinstate Monica about 7 years
    Ok, choose the "replace" option. (Don't worry, if there is not a certificate you can replace it with, you'll be able to cancel the wizard without making changes)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Install Certificate in RDP-TCP properties
Server 2012 R2 RDP failed with internal error has occurred
SBS2011 Disabling SharePoint because of problems
SBS2011 Exchange and Outlook 2010 looking for autodiscover.extdomain.com
Server address requested and the certificate subject do no match
Permissions won't cascade more than 1 level
Using CA certificate for Remote Desktop Connection
Possible causes of CRL validation error
Flutter on Android 7 CERTIFICATE_VERIFY_FAILED with LetsEncrypt SSL cert after Sept 30, 2021
Firebase Hosted flutter app shows not a secure connection error when launching an external URL