How to renew certificate for RDP on SBS 2011

rdpssl-certificatewindows-sbswindows-sbs-2011

Probably I am doing the wrong procedure (I am not an expert in Windows Servers).

Our server was using a 128 SHA1 self-signed certificate for RDP on SBS 2011. The certificate has expired. I proceeded to create a new certificate from IIS 7 Server Certificate selecting the option "Create Self-Signed Certificate".

Then I went to Remote Desktop Session Host Configuration and then right-click on RDP-Tcp, then I selected the generated certificate from RDP-Tcp properties.

After Apply and test again the RDP, I am getting a warning that says "this ca root certificate is not trusted. to enable trust…"

Even though I can establish the RDP, the complaint is there.

How can I fix it?

Best Answer

The correct way to renew or add certificates (whether self-signed or signed by a public CA) in Windows Small Business Server is to use the Windows SBS Console's "Fix my network" wizard. The wizard does two things:

  • If you're using a self-signed certificate that's expired, it renews it
  • It correctly (re-)installs the existing certificate in the various services on the server that use the certificate, such as Exchange, Remote Web Access, Remote Desktop Session Broker, etc. You should never install the certificates in these services manually on an SBS server.

Run the Fix my network wizard to fix the certificate as follows:

  1. Start the Windows SBS Console
  2. Click the Network icon at the top, then click the Connectivity tab
  3. In the right-pane, click Fix my network
  4. If multiple issues are detected, you need to fix the one named Self-issued certified is expired

Now, in your case since you have already manually renewed the certificate, the wizard may not find an expired certificate to fix. If so, re-install the already-renewed certificate through the SBS console as follows:

  1. Start the Windows SBS Console
  2. Click the Network icon at the top, then click the Connectivity tab
  3. In the right-pane, click Add a trusted certificate
  4. When the wizard starts, click Next
  5. At the Get the certificate screen select I want to use a certificate that is already installed on the server then click Next
  6. Select the correct certificate from the list then click Next
  7. The wizard will install the certificate. click Finish when done.

How I expect this to solve your problem

Based on your comment, all of the machines using RDP on the server are domain-joined. Therefore, they should all trust the certificate installed by the SBS Console. Only non-domain workstations need additional action performed in order to trust a self-signed certificate in use by the SBS server, namely using the provided certificate install package to configure the non-domain machine to add the certificate to its Trusted Root Certificates store.

Related Topic