How to Install an SSL Certificate on Remote Desktop Services

This step-by-step guide shows you how to install an SSL certificate on Remote Desktop Services (RDS) on Windows Server.

Generate a CSR code for Remote Desktop Services

When you apply for an SSL certificate, you must first generate a CSR (Certificate Signing Request) and submit it to the Certificate Authority (CA). The CSR holds the contact and domain details the CA needs to issue your certificate.

RDS relies on Microsoft IIS, which ships with every version of Windows Server, so you can create the CSR in the IIS release that matches your server. For example, if you run RDS on Windows Server 2022, you generate the CSR in IIS 10. You have two options:

• Follow our guides on how to generate a CSR code on various IIS versions.
• Or generate the CSR automatically using our CSR Generator.

After you submit the CSR and complete domain validation, the CA emails you the certificate files. You can then proceed to the installation below.

Install an SSL certificate on Remote Desktop Services

To secure your Remote Desktop Services environment, you install a valid SSL certificate. RDS certificate management revolves around .pfx files. This guide covers the three most common methods: the RDS Deployment properties (recommended), RD Gateway Manager (Gateway only), and PowerShell (scriptable for any role).

Before you begin

Make sure you have your .pfx certificate file ready. A .pfx is a single bundled file that contains:

• Your server certificate (issued for your domain).
• The private key (generated when you created your CSR).
• The full chain (intermediate and root CA certificates).

If the CA sent you separate .crt, .ca-bundle, and .key files, combine them into one .pfx first. You can do this with OpenSSL:

openssl pkcs12 -export -out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt -certfile yourdomain.ca-bundle

OpenSSL prompts you to set an export password. Remember it, as Windows asks for it when you import the file. For more detail, see our article on SSL certificate formats.

Option A: Install certificates via RDS Deployment properties (recommended)

This method applies the SSL certificate to all RDS roles at once (RD Web Access, RD Gateway, RD Connection Broker). Run it on the server that holds the RD Connection Broker role.

1. Open Server Manager (Start → Server Manager).
2. Click Remote Desktop Services in the left pane.
3. In the Overview pane, click Tasks (upper-right) and select Edit Deployment Properties.
4. In the left panel of the dialog, click Certificates.
5. Select a role from the list, then click Select existing certificate, browse to your .pfx file, and enter the certificate password. Repeat for each of the following roles:
   • RD Connection Broker – Publishing
   • RD Connection Broker – SSO (Single Sign-On)
   • RD Web Access
   • RD Gateway
6. Tick Add the certificate’s root CA to the Trusted Root Certification Authorities store (optional, but recommended for internally issued certificates).
7. Click Apply, then OK. The changes take effect immediately. No reboot required.

Tip: use the same certificate (one that covers your deployment’s public FQDN) for every role so clients never see a name mismatch.

Option B: Install the certificate only on RD Gateway

Use this if you only need to secure the RD Gateway role rather than the full deployment.

1. Open RD Gateway Manager (Start → Server Manager → Tools → Remote Desktop Services → Remote Desktop Gateway Manager).
2. In the left pane, right-click your server name and choose Properties.
3. Switch to the SSL Certificate tab and select Import a certificate into the RD Gateway (Local Computer)\Personal store.
4. Click Browse and Import Certificate, select your .pfx file, and enter the certificate password.
5. Click OK.

No server restart is required. The RD Gateway listener switches to the new certificate immediately.

Option C: Install the certificate with PowerShell

If you prefer the command line (handy for scripting or automated renewals), use the Set-RDCertificate cmdlet from the RemoteDesktop module. Run it on the RD Connection Broker. First store the .pfx password as a secure string:

$Password = ConvertTo-SecureString -String "YourPfxPassword" -AsPlainText -Force

Then apply the certificate to each role. Valid -Role values are RDPublishing, RDRedirector (the Connection Broker SSO role), RDWebAccess, and RDGateway:

Set-RDCertificate -Role RDPublishing -ImportPath "C:\Certs\yourdomain.pfx" -Password $Password -ConnectionBroker "broker.yourdomain.com" -Force
Set-RDCertificate -Role RDRedirector -ImportPath "C:\Certs\yourdomain.pfx" -Password $Password -ConnectionBroker "broker.yourdomain.com" -Force
Set-RDCertificate -Role RDWebAccess -ImportPath "C:\Certs\yourdomain.pfx" -Password $Password -ConnectionBroker "broker.yourdomain.com" -Force
Set-RDCertificate -Role RDGateway -ImportPath "C:\Certs\yourdomain.pfx" -Password $Password -ConnectionBroker "broker.yourdomain.com" -Force

Confirm the assignment at any time with:

Get-RDCertificate -ConnectionBroker "broker.yourdomain.com"

Test your SSL installation

After you install the certificate, open your RD Web Access or RD Gateway URL in a browser and check the padlock and certificate details. Even when everything looks correct, run a deeper scan to catch hidden errors and weak configuration. Our SSL Checker deliver instant reports on the state of your certificate, the chain, and your TLS settings.

Where to buy an SSL certificate for Remote Desktop Services?

If you’re looking for affordable SSL certificates, SSL Dragon is your best SSL vendor. Our intuitive website walks you through the entire SSL certificate range, and every product is issued by a reputable Certificate Authority and fully compatible with Remote Desktop Services. Because the RD Gateway is internet-facing, choose a publicly trusted certificate so remote clients connect without trust warnings.

We bring you the lowest prices on the market and dedicated customer support for any certificate you choose.

Frequently Asked Questions