Dreading manual RDS certificate updates? Automate 99% of it away! Learn how to easily manage certificates across all your Remote Desktop Gateways.
Action is coming
You’re in the office sipping on some coffee when you suddenly get an alert that your certificate expires in 30 days. You acknowledge the alert, but knowing you have 30 days to replace it is no big deal. Many forgotten alerts later and 1 day before the certificate expires, you dread the part that is coming. Having to manually access each Remote Desktop Gateway server to manually replace the certificate.
Jokes aside, for our customers that are still on-prem 🥲, we deploy their Remote Desktop Services through our HAProxy with one of our wildcard certificates. Updating the certificate in HAProxy is the easy part, but having to go through 50+ servers and manually updating? No thanks.
In this article I’ll go through the steps on how you can automate 99% of this process.
Why are you running?
Now, you need some way to be able to run scripts on the systems, this could be with PowerShell remoting, PowerShell Universal or an RMM tool. In our case we have an RMM tool, so that is what we are using. With our RMM tool, we are able to check what wildcard certificate the Remote Desktop Gateway has, which is how we target which systems to run the script on.
Secondly, we need a way to download the certificate onto the system, in our case I decided to use Azure Blob Storage. You can use whatever you like, as long as the script is able to download it.
The script will download the certificate, import it into the certificate store, and then apply it to the RDS roles. If you’re using the html webclient, it will also update the certificate for that.
This is the way
It is important to note that the script example I will provide does not check if the required role is installed. Please modify it to fit your needs.
You can find the script on my Github