Create self-signed terminal services certificate and install it

Question

The server RDP certificate expires every 6 months and is automatically recreated, meaning I need to re-install the new certificate on the client machines to allow users to save password.

Is there a straightforward way to create a self-signed certificate with a longer expiry?

I have 5 servers to configure.

Also, how do I install the certificate such that terminal services uses it?

Note: Servers are not on a domain and I'm pretty sure we're not using a gateway server.

Answer 1

You can create a self-signed certificate with many different tools. Makecert is one such tool:

http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx

The OID for 'Server Authentication' is 1.3.6.1.5.5.7.3.1, so the argument -eku 1.3.6.1.5.5.7.3.1 will be in there somewhere.

makecert -r -pe -n CN="MyServer" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -b 01/01/2000 -e 01/01/2036 

That should get you a self signed certificate in your computer's personal store that expires in 2036.

Answer 2

If you have a large domain, the best result would be to setup an enterprise Certificate Authority. Then just setup policies so that your system automatically acquire a valid certificate from the CA.

Also setup policies so that any certificates issued from that CA will be automatically trusted.

Answer 3

Completing Ryan Ries' answer above (as I've just worked out)

1. Execute the makecert command suggested

makecert -r -pe -n CN="MyServer" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -b 01/01/2000 -e 01/01/2036

2. Manage Computer Certificates - you'll find the created certificate in Personal Certificates
3. Export the certificate (right click -> all tasks -> export -> include private key -> give it a secure password)
4. On the TS server, open RD Gateway Manager
5. Right click on the TS Server -> Properties -> SSL Certificate tab
6. Import the certificate

...you should be good to go.