Obtain a Certificate for the TS Gateway Server

Applies To: Windows Server 2008

This topic assumes an understanding of certificate trust chaining, certificate signing, and general public key infrastructure and certificate configuration principles. For information about PKI configuration in Windows Server 2008, see ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=93995). For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure (http://go.microsoft.com/fwlink/?LinkID=54917).

By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between Terminal Services clients and TS Gateway servers over the Internet. TLS is a standard protocol that is used to provide secure Web communications on the Internet or intranets. TLS is the latest and most secure version of the Secure Sockets Layer (SSL) protocol. For more information about TLS, see:

For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the TS Gateway server.

Certificate requirements for TS Gateway

Certificates for TS Gateway must meet these requirements:

  • The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the TS Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. If your organization issues certificates from an enterprise CA, a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.

  • The certificate is a computer certificate.

  • The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).

  • The certificate has a corresponding private key.

  • The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.

  • A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set:

    • CERT_KEY_ENCIPHERMENT_KEY_USAGE

    • CERT_KEY_AGREEMENT_KEY_USAGE

    • CERT_DATA_ENCIPHERMENT_KEY_USAGE

    For more information about these values, see Advanced Certificate Enrollment and Management (http://go.microsoft.com/fwlink/?LinkID=74577).

  • The certificate must be trusted on clients. That is, the public certificate of the CA that signed the TS Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.

Using existing certificates

If you already have a certificate, you can reuse it for the TS Gateway server, if the certificate:

  • Is issued by one of the trusted public certification authorities (CAs) that participate in the Microsoft Root Certificate Program Members program [as listed in article 931125 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=59547)]; and

  • Meets the certificate requirements for the TS Gateway server.

If the certificate is not trusted by the Microsoft Root Certificate Program Members program (for example, if you create and install a self-signed certificate on the TS Gateway server and you do not manually configure the Terminal Services client to trust the certificate), a warning stating that you do not have a trusted root certificate appears when the client attempts to connect through the TS Gateway server, and the connection will not succeed. To prevent this error from occurring, install the certificate onto the Trusted Root Certification Authorities store on the client computer before the client attempts to connect through the TS Gateway server.

Certificate installation and configuration process overview

The process of obtaining, installing, and configuring a certificate for the TS Gateway server involves these steps.

Step 1: Obtain a certificate for the TS Gateway server

You can obtain a certificate for the TS Gateway server by using one of the following methods:

  • If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates that meet TS Gateway requirements, you can generate and submit a certificate request in several ways, depending on the policies and configuration of your organization's CA. Methods for obtaining a certificate include:

    • Initiating auto-enrollment from the Certificates snap-in.

    • Requesting certificates by using the Certificate Request Wizard.

    • Requesting a certificate over the Web.

Note

If you have a Windows Server 2003 CA, be aware that the Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX control is available in Microsoft Windows 2000, Windows Server 2003, and Windows XP. However, Xenroll has been deprecated in Windows Server 2008 and Windows Vista. The sample certificate enrollment Web pages that are included with the original release version of Windows Server 2003, Windows Server 2003 Service Pack 1 (SP1), and Windows Server 2003 Service Pack 2 (SP2) are not designed to handle the change in how Windows Server 2008 and Windows Vista perform Web-based certificate enrollment operations. For information about the steps that you can take to address this issue, see article 922706 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=94472).

  - Using the Certreq command-line tool.  
      
For more information about using any of these methods to obtain certificates for Windows Server 2008, see the "Obtain a Certificate" topic in the Certificates snap-in Help and the "Certreq" topic in the Windows Server 2008 Command Reference. To review the Certificates snap-in Help topics, click **Start**, click **Run**, type **hh certmgr.chm**, and then click **OK**. For information about how to request certificates for Windows Server 2003, see Requesting Certificates ([http://go.microsoft.com/fwlink/?LinkID=19638](http://go.microsoft.com/fwlink/?linkid=19638)).  
  
A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA that participates in the Microsoft Root Certification Program Members program ([http://go.microsoft.com/fwlink/?LinkID=59547](http://go.microsoft.com/fwlink/?linkid=59547)). Otherwise, users connecting from home computers or kiosks might not be able to connect to TS Gateway servers. These connections might fail because the CA-issued root might not be trusted by computers that are not members of domains, such as home computers or kiosks.  
  
  • If your company does not maintain a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates, you can purchase a certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547). Some of these public CAs might offer certificates at no cost on a trial basis.

  • Alternatively, if your company does not maintain a stand-alone or enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TS Gateway server for technical evaluation and testing purposes. For more information, see Create a Self-Signed Certificate for the TS Gateway Server.

Important

If you use either of the first two methods to obtain a certificate (that is, if you obtain a certificate from a stand-alone or enterprise CA or a trusted public CA), you must also Install a Certificate on the TS Gateway Server and Map the TS Gateway Certificate. However, if you create a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service or by using TS Gateway Manager after installation (as described in Create a Self-Signed Certificate for the TS Gateway Server), you do not need to install or map the certificate to the TS Gateway server. In this case, the certificate is automatically created, installed in the correct location on the TS Gateway server, and mapped to the TS Gateway server.

Note that Terminal Services clients must have the certificate of the CA that issued the server certificate in their Trusted Root Certification Authorities store. For step-by-step instructions for installing the certificate on the client, see [Install the TS Gateway Server Root Certificate on the Terminal Services Client](cc754076\(v=ws.10\).md).  
  
If you used one of the first two methods to obtain a certificate and the Terminal Services client computer trusts the issuing CA, you do not need to install the certificate of the CA that issued the server certificate in the client computer certificate store. For example, you do not need to install the certificate of the issuing CA in the client computer certificate store if a VeriSign or other public, trusted CA certificate is installed on the TS Gateway server. If you use the third method to obtain a certificate (that is, if you create a self-signed certificate), you do need to install the certificate of the CA that issued the server certificate in the Trusted Root Certification Authorities store on the client computer. For more information, see [Install the TS Gateway Server Root Certificate on the Terminal Services Client](cc754076\(v=ws.10\).md).  
  

Step 2: Install a certificate

To install a certificate, see Install a Certificate on the TS Gateway Server.

Step 3: Map the certificate

To map a certificate, see Map the TS Gateway Certificate.

Additional references