For information on why TS Gateway needs a certificate and which is the recommended certificate to use on TS Gateway, see the first post in this series.
To deploy a certificate on TS Gateway server, you must have the server certificate (and private key) contained in a file. You must also have access to the Certificates snap-in and have it set to view computer certificates from the local computer (though this can be done remotely).
This blog will take you through the following steps. Please note that the screenshots in this blog are applicable to Windows Server 2008 only.
- Viewing the certificate store on the local computer
- Installing the certificate in the personal certificate store of the local computer
- Installing the certificate on TS Gateway
- A common issue when deploying a certificate on TS Gateway
- How to trust the TS Gateway certificate on the clients
Viewing the certificate store on the local computer
To view the Certificates store on the local computer, follow these steps:
1. Click Start, and then click Run.
2. Type "MMC.EXE" (without the quotation marks), and then click OK.
3. Click File menu item in the new MMC you created, and then click Add/Remove Snap-in.
4. Click the Certificates snap-in, and then click Add.
5. Choose the Computer account option and click Next.
6. Select Local Computer on the next screen, and then click Finish.
7. Click OK.
8. You have now added the Certificates snap-in, which will allow you to work with any certificates in your computer’s certificate store. You may want to save this MMC for later use.
Now that you have access to the Certificates snap-in, you can import the server certificate into your computer’s certificate store by following the steps in the next section.
1. Open the Certificates (Local Computer) snap-in and navigate to Personal, and then Certificates.
Note: Certificates may not be listed. If it is not, that is because there are no certificates installed.
2. Right-click Certificates (or Personal if that option does not exist.)
3. Choose All Tasks, and then click Import.
4. When the wizard starts, click Next. Browse to the PFX file you created containing your server certificate and private key. Click Next.
5. Enter the password you gave the PFX file when you created it. Be sure the Mark the key as exportable option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to ensure that no one can make a backup of your private key.
6. Click Next, and then choose the Certificate Store you want to save the certificate to. You should select Personal because it is a server certificate. If you included the certificates in the certification hierarchy, it will also be added to this store.
7. Click Next. You should see a summary screen showing what the wizard is about to do. If this information is correct, click Finish.
8. You will now see the server certificate you just installed in the list of personal certificates. It will be denoted by the common name of the server (found in the subject section of the certificate).
Now that you have the certificate backup imported into the certificate store, you can use the TS Gateway Manager UI to install the certificate on TS Gateway. The steps for doing this are outlined in the next section.
1. Click Start, click Administrative Tools, click Terminal Services, and then click TS Gateway Manager.
Right-click on the <Machine Name> and select Properties.
2. On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates.
3. Choose the certificate, and then click Install.
4. Click OK.
The most common issue faced by a TS Gateway administrator is that, although he has installed the certificate in the certificate store of the gateway machine, he is not able to view and install the certificate through the TS Gateway snap-in. Possible causes of this are:
1. The certificate does not have the private keys:
If you install the certificate without the private keys in the Personal Certificate Store of the Local Computer, then you can’t view the certificate on the Browse Certificate window of the TS Gateway Manager UI and therefore can’t install it for TS Gateway. This is how a certificate without a private key looks in the Certificate Manager UI. Notice that the first certificate (Issued to: www.contoso.com) does not have a key symbol over its icon.
2. The certificate is not installed in the personal certificate store of the local computer:
If you install the certificate in the personal certificate store of User instead of the personal certificate store of Local Computer, then you can’t view the certificate on the Browse Certificate window on the TS Gateway Manager UI and therefore can’t install it for TS Gateway.
3. The certificate is not a “Server Authentication” certificate:
If the “Intended Purpose” of the certificate is not “Server Authentication” then it won’t appear in the list of available certificates that can be installed on TS Gateway on the Browse Certificate window of the TS Gateway Manager UI. The following example shows how to view the “Intended Purpose.”
The general rule of thumb is that if you have installed the certificate but still don’t see it in the Browse Certificate window of the TS Gateway Manager UI, ensure that you have private keys installed for the certificate and that you have installed the certificate in the personal certificate store of the local computer instead of the User certificate store and that the certificate is intended for “Server Authentication.”
When you are using a self-signed or private CA certificate on the TS Gateway, the clients won’t trust the TS Gateway certificate by default. In this case, follow the steps outlined in the blog at http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx.