Configure a Certificate for the Remote Desktop Gateway Server

Applies To: Windows Server 2008 R2

By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between Remote Desktop Services clients and RD Gateway servers over the Internet. For TLS to function correctly, you must install a Secure Sockets Layer-compatible X.509 certificate on the RD Gateway server.

You can obtain a certificate in one of the following ways:

  • You can generate and submit a certificate request to obtain a certificate from a stand-alone or an enterprise certification authority (CA).

  • You can purchase a certificate (or obtain one at no cost on a trial basis) from one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program [as listed in article 931125 in the Microsoft Knowledge Base (].

  • You can use the Add Roles Wizard to create a self-signed certificate when you install the RD Gateway role service, or you can use Remote Desktop Gateway Manager to do this after RD Gateway is installed.


We recommend that you use a self-signed certificate only for testing and evaluation purposes.

For more information about RD Gateway, see the Remote Desktop Services page on the Windows Server 2008 R2 TechCenter (

This section describes certificate requirements for the RD Gateway server and provides more information about the different methods that you can use to obtain a certificate. The following topics are covered: