Greg Ferguson's BLOG

Create Self Signed Certificate for Windows Server 2008 Remote Desktop Gateway

Greg — Thu, 21 May 2009 19:10:00 +0000

One of my favorite features of Windows Server 2008 is Remote Desktop Gateway. This feature allows you to access all of the windows machines on your network (XP, Vista, 2003, etc.) via remote desktop even if they are behind a NAT or firewall. Furthermore, all communication is over SSL! How awesome is that?

One pain point that I did have with this feature was the creation of Self Signed Certificates. The Remote Desktop Gateway interface allows you to create a Self Signed Certificate but once generated it only has a lifespan of 6 months annoying. I have been using this feature for over a year and a half so I have had to regenerate my self signed certificate three times. I finally got fed up and decided to figure out how to generate my own self signed certificate that lasts longer than 6 months. FYI : Microsoft recommends only using a self signed certificate for testing purposes. I am only using Remote Desktop Gateway for my home lab and I don’t want to shell out the cash to purchase an SSL certificate so I am going to ignore this recommendation.

Create the Certificate

To create the self signed certificate you will need to download a few tools, Makecert.exe, cert2spc.exe, and pvkimprt.exe. Makecert and cert2spc are found in the Windows Platform SDK and the .Net Framework SDK. PvkImprt.exe can be found as a stand alone download. These tools can be installed and run on a different server or workstation, you do not need to run the tools on the target server.

Once you have downloaded and installed the three command line tools you can begin. The first and most involved command is Makecert. For the purposes of this example I will use contoso.com as the URL that I will access my remote desktop gateway server using. It is very important that you generate the certificate with the same URL that you will use to access the server with.

makecert -r -pe -n "CN=contoso.com" -eku 1.3.6.1.5.5.7.3.1 -b 05/19/2009 -e 01/01/2029 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv contoso.com.pvk contoso.com.cer

Makecert will prompt you for a password, supply any password that you are comfortable with. You can find a description of all of the command line options for Makecert here. The most important things to note here are the -b and -e arguments which specify the dates from which the certificate is valid. These are the options that the terminal services gateway UI does not give you.

Next you will run cert2spc and pvkimprt.

cert2spc contoso.com.cer contoso.com.spc
pvkimprt -pfx contoso.com.spc contoso.com.pvk

Pvkimprt will prompt you for the password, enter the same password that you used when you created the certificate with makecert. The pvk file is the one that you will import on your target windows server 2008 server.

Server Configuration

First you will install the certificate on the target Windows 2008 server. To install the certificate on the target server you should open the Microsoft Management Console, MMC, and add the certificates snap-in. When opening the certificates snap-in choose “Computer Account”.

Once you have added the snap in, right click on the “Personal” key store and choose “All Tasks” and “Import”.

Browse to the pvk file that you created during the steps above. Again, you will be prompted for the password that you used during certificate creation. Once imported the remote desktop UI should recognize the certificate as a valid certificate to use.

Go to the TS Gateway Manager. Click on your server and click properties. Select the SSL Certificate tab and click “Select an existing certificate for SSL encryption (recommended)”, then click “Browse Certificates”. You should see your certificate here. Select your certificate and click “Install”, then “Ok”.

Client Configuration

Now that you have installed the self signed certificate on the server you will need to install the certificate on all the computers that you will be connecting to the remote desktop gateway from. On the client computer double click on the consoto.cer file generated by the makecert command or the pvk file generated by pvkimprt and install it to the “Trusted Root Certification Authorities” key store.

Then configure your remote desktop client to use a remote desktop gateway. Open the remote desktop client, mstsc, and go to the “Advanced” tab.

Then click on settings and select “Use these TS Gateway server settings” and enter “contoso.com”. Optionally you can select “Bypass TS Gateway server for local addresses”.

When you enter the name of the server/workstation you want to connect to enter it as if you are on the network local to the Remote Desktop Gateway Server. When you click connect you will first be prompted to enter credentials authenticating you to the Remote Desktop Gateway Server. Then you will be prompted for credentials to authenticate you to the target server/workstation.

Microsoft Web Experiences in Los Angeles Tomorrow

Greg — Fri, 08 Jun 2007 04:52:53 +0000

I am going to the Microsoft Web Experiences event tomorrow in LA. They will be showing all kinds of new web technologies like ASP.NET Ajax, WPFe, and IIS7. Here is some more information:

Microsoft is hosting free Microsoft Web Experience events at the Los Angeles Microsoft office on June 8th and the Denver Microsoft office on June 15th. They will be presenting information on building the next generation user experience on the web.

They are providing breakfast and lunch, hosting a reception with beer and wine, and attendees are automatically registered in a drawing for an XBox 360 and a Zune that will be given away at each event. For more information, visit http://kaevans.sts.winisp.net/Shared%20Documents/webexperience.aspx.

Technorati Tags: MicrosoftWebExperience

Sudoku Solver

Greg — Sat, 04 Mar 2006 04:37:42 +0000

For a recent school project I was asked to create a Sudoku solver application. If you are not familiar with Sudoku puzzles you can visit, http://www.websudoku.com. Sudoku has become quite popular in recent months. When I told my friends and family that I was creating this piece of software they were all very interested and asked if they could use the program when I was done. So I took my school project and extended it for general use. You can download the software here. The software requires the .NET Framework v2 and Windows Installer v3.1. You will have both of these if you have been keeping up with your windows updates.

Download Sudoku Solver

Screenshot:

Angel’s Even the Score

Greg — Thu, 06 Oct 2005 07:04:17 +0000

Tonight the Angels evened the series with the Yankees at one game a piece. They took a while to start the scoring but they got it done in the end. The pitching and defense was there throughout the game and remains the keystone to the Angels’ success. Game 3 is on Friday and it will be a tough one. Randy Johnson has had great success against the Angels in the past. But for now, light up halo.

My Two Seconds of Fame

Greg — Wed, 05 Oct 2005 06:25:45 +0000

If anyone caught the end of the Angel’s playoff game against the Yankees you would have seen me on TV. This is a nationally televised broadcast (FOX)!

The outcome of the game wasn’t great but the experience was. Courtesy of Joey’s uncle we had amazing seats. The seats were right behind the visitor’s dugout.

We even caught a glimpse of a baseball legend, Reggie Jackson.

The Angel’s did lose the game but that just makes game two more exciting. I predict a Halo victory for game two.