Renewing CertifyTheWeb Certificates on Windows Remote Desktop Services (RDS) automatically

So, I am guessing if you’ve stumbled across this post you are trying to get your certificates to renew automatically on Windows Remote Desktop Services (RDS) using CertifyTheWeb. There is a lot of info out there on how to do this but like you I couldn’t get it to work reliably. Troubleshooting the issue is also a bit of a challenge as you need to run the scripts when you renew a certificate to ensure that the param parameter is returned correctly to PowerShell.

So, after a bit of trial and error I managed to get this working, and to be fair to the info out there 95% of it is right but there was one vital bit missing which is the bit I am going to share with you.

Lets first get our PowerShell script, this is probably very familiar to you if you’ve been searching around the internet looking for answers. All you need to do is copy the text below into a PS1 file called “RDPGatewayServices.ps1” and save it somewhere on the server (don’t save this in the CertifyTheWeb default scripts location as these get overwritten when the software is updated)

	param($result)
	$pfxpath = $result.ManagedItem.CertificatePath
	Import-Module RemoteDesktop
	Import-Module RemoteDesktopServices
	Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force
	Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force
	Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force
	Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force
	
	Restart-Service TSGateway -Force -ErrorAction Stop

Next we need to go into the CertifyTheWeb app and click on the certificate you want to auto-renew.

Click on “Tasks” then click on “Add” under the “Deployment Tasks” section

Now select “Run PowerShell Script

Give it a name i.e “Renew RDS Certificate

Now here comes the important bit!

Click on “Task Parameters” and change the following options

Set the “Authentication” to “Local (as specific user)

Click on the “New” button next to “Credentials

Change the “Credential Type” to “Windows Credentials (Local)

Set a name for the credential, this is a placeholder name so just make something that you’ll recognise

Add the “Domain Name

Specify an an account with Administrative access, this is important as this user will need admin rights to be able to write to the certificate store. Depending on your organisation security you may want to create a dedicated service account for this. Finally add the “password” for the account and click “Save”

Now back on the “Edit Deployment Task” screen

Click on the drop down next to “Credentials” and select the credential you just created

Enter the path to the PS1 file you created earlier in the “Program/Script” box

Ensure that the “Pass result as First Arg” is selected

Change the “Impersonation LogonType” to “New Credentials

Click “OK

Ok, you’re done. You can now test the Certificate renewal process and check that all the certs in RDS have updated correctly.

Leave a Reply

Your email address will not be published.