So, I am guessing if you’ve stumbled across this post you are trying to get your certificates to renew automatically on Windows Remote Desktop Services (RDS) using CertifyTheWeb. There is a lot of info out there on how to do this but like you I couldn’t get it to work reliably. Troubleshooting the issue is also a bit of a challenge as you need to run the scripts when you renew a certificate to ensure that the param parameter is returned correctly to PowerShell.
So, after a bit of trial and error I managed to get this working, and to be fair to the info out there 95% of it is right but there was one vital bit missing which is the bit I am going to share with you.
Lets first get our PowerShell script, this is probably very familiar to you if you’ve been searching around the internet looking for answers. All you need to do is copy the text below into a PS1 file called “RDPGatewayServices.ps1” and save it somewhere on the server (don’t save this in the CertifyTheWeb default scripts location as these get overwritten when the software is updated)
param($result) $pfxpath = $result.ManagedItem.CertificatePath Import-Module RemoteDesktop Import-Module RemoteDesktopServices Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force Restart-Service TSGateway -Force -ErrorAction Stop
Next we need to go into the CertifyTheWeb app and click on the certificate you want to auto-renew.
Click on “Tasks” then click on “Add” under the “Deployment Tasks” section
Now select “Run PowerShell Script“
Give it a name i.e “Renew RDS Certificate“
Now here comes the important bit!
Click on “Task Parameters” and change the following options
Set the “Authentication” to “Local (as specific user)“
Click on the “New” button next to “Credentials“
Change the “Credential Type” to “Windows Credentials (Local)“
Set a name for the credential, this is a placeholder name so just make something that you’ll recognise
Add the “Domain Name“
Specify an an account with Administrative access, this is important as this user will need admin rights to be able to write to the certificate store. Depending on your organisation security you may want to create a dedicated service account for this. Finally add the “password” for the account and click “Save”
Now back on the “Edit Deployment Task” screen
Click on the drop down next to “Credentials” and select the credential you just created
Enter the path to the PS1 file you created earlier in the “Program/Script” box
Ensure that the “Pass result as First Arg” is selected
Change the “Impersonation LogonType” to “New Credentials“
Ok, you’re done. You can now test the Certificate renewal process and check that all the certs in RDS have updated correctly.