Remote Desktop Services Migration Overview: Migrating Certificates

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic provides a summary of the certificates used in each of the role services in Remote Desktop Services. It also provides a list of the Remote Desktop Services features that use certificates, and describes the general process for migrating certificates.

Migrating Remote Desktop Services role services certificates

RD Session Host server certificates

Typically, RD Session Host servers use auto-generated certificates for server authentication. If RD Session Host server certificates are auto-generated, you should record that information in the data worksheet; however, do not migrate the auto-generated certificate from the RD Session Host server. The destination RD Session Host server will auto-generate a new certificate. To gather the RD Session Host server certificate settings, see the procedure in RD Session Host Migration: Preparing to Migrate.

This guide does not cover the migration of RD Session Host server farms; however, these servers use an SSL certificate with a private key. If you plan to reuse your certificate, see the instructions in Preparing certificates for migration later in this topic to export the certificate.

RD Connection Broker server certificates

The RDP files for virtual desktop connections can be digitally signed with certificates. To migrate certificates that are used for digitally signing RDP files for personal virtual desktops and virtual desktop pools, see RD Connection Broker Migration: Preparing to Migrate.

For more information, see About Digitally Signing Files for Virtual Desktop Connections (

RD Web Access server certificates

HTTPS connections to an RD Web Access server are secured with an SSL certificate in Web Server (IIS). To migrate the SSL certificate for RD Web Access servers, see RD Web Access Migration: Preparing to Migrate and RD Web Access Migration: Migrating the RD Web Access Role Service.

RemoteApp program certificates

Although we do not migrate RemoteApp programs in this guide, certificates can be used to secure them. RemoteApp program certificates are located on the RD Session Host server. If you plan to reuse your certificates, you should export them from the RD Session Host source server before shutting it down.

For general instructions about migrating certificates with private keys, see Preparing certificates for migration.


The private key must be included when migrating a certificate for digitally signing RDP files for RemoteApp programs.

For more information about using certificates with RemoteApp programs, see the following:

RD Gateway server certificates

An SSL-compatible X.509 certificate is required before RD Gateway can serve connections.

To configure certificates for RD Gateway, see RD Gateway Migration: Preparing to Migrate.

RD Virtualization Host server certificates

RD Virtualization Host servers do not require certificates, and as a result there are no migration steps for certificates for RD Virtualization Host servers.

Remote Desktop license server certificates

Remote Desktop license servers do not require certificates, and as a result there are no migration steps for certificates for Remote Desktop license servers.

Remote Desktop Services features that use certificates

Although this migration guide does not describe how to migrate the deployment of Remote Desktop Services features, the following list of features that use certificates is included for reference. Each of the following features uses certificates in at least one role service:

  • Single sign-on (SSO) for RemoteApp and Desktop Connection

  • Web Single Sign-On (Web SSO)

  • HTTPS connections to RD Web Access

  • Digital signing of RDP files for personal virtual desktops and virtual desktop pools

  • Digital signing of RDP files for Remote App programs

  • RD Gateway connections to Remote Desktop Services

  • RD Session Host server connections in a farm configuration

Preparing certificates for migration

In most cases, the migration of certificates for Remote Desktop Services requires you to export the certificate with the private key. After export, you should store the certificate in a safe location.

A certificate with a private key can be migrated by using the following steps:

After you have imported the certificate to the certificate store on the destination server, follow the instructions for configuring the certificate in the migration guide for the specific role service.

See also