Enterprise Certificate Services and Terminal Services Gateway – Certificate Issuing for Internet Usage

To issue a certificate for the Windows 2008 Terminal Services gateway using your own intalled Enterprise Certificate Authority, out of the box you need to create a certificate request file, request the certificate from the Enterprise CA, install the issued certificate and map the certificate to the TS Gateway.

This can help you if you get errors such as -2146875377 or “the dns name is unavailable and cannot be added to the subject alternative name” or “denied by policy” errors.

In detail these steps are:
Create MMC Console for all steps

1. On the TS Gateway Windows 2008 server, with the remote administration tools installed, click Start > Run and enter mmc.exe.
2. Confirm the UAC prompt and add the following snap-ins: Certificate Authority (choose computer on which this role is installed), Certificates (for local machine), TS Gateway Manager.

Create a Certificate Request

1. Expand Certificates (Local Computer)/Personal/Certificates and right-click Certificates>All Tasks>Advanced Options>Create Custom Request.
2. Click Next on the Before You Begin page.
3. Choose Web Server as the template. The template type that you chose is the 2nd most important choice you make in this process. Click Next.
4. Click the Details down arrow and then click Properties.
5. On the Subject tab, under Subject Name, select Common Name under Type and enter the URL that you will use across the internet to reach this TS Gateway. Click OK when the names you are using have been added to the list on the right of the dialog. The correct value for common name is the 1st most important choice you make here.
6. Click Next.
7. Enter a file name and click Finish.

Upload Certificate Request to Enterprise Certificate Authority

1. Expand the Certification Authority node in the MMC you created above.
2. Right-click the CA name and choose All Tasks>Submit New Request.
3. Browse and select the request file created in step 7 in the previous section.
4. Save the issued certificate with a .cer file extension.

Install the Certificate on the TS Gateway Server

1. Expand Certificates (Local Computer)/Personal/Certificates and right-click Certificates>All Tasks>Import and click Next.
2. Browse to the file created in step 4 in the previous section.
3. Click Next twice.
4. Click Finish. You will be told the import was successful.

Map Certificate to TS Gateway

1. Expand TS Gateway Manager in the MMC.
2. Right-click your TS Gateway server and choose Properties
3. Select the SSL Certificate tab and ensure the “Select an existing certificate…” option is set.
4. Click Browse Certificates and select the new certificate that you have just created
5. Click Install and OK.

Then to finish, open Remote Desktop Connection tool (mstsc.exe) and connect to a Terminal Server using the Gateway option via the Options>Advanced>Settings dialog. To complete these steps you must also have created the policies for connection the the gateway.