English

Wildcard SSL certificate renewal process

Contributors tvanroo Download PDF of this page

Create a certificate signing request (CSR):

  1. Connect to CWMGR1

  2. Open IIS Manager from Administrator Tools

  3. Select CWMGR1 and open Server Certificates

  4. Click on Create Certificate Request in the Actions pane

    ssl1

  5. Fill out the Distinguished Name Properties in the Request Certificate Wizard and click Next:

    1. Common Name: FQDN of Wildcard - *.domain.com

    2. Organization: Your company’s legally registered name

    3. Organizational unit: ‘IT’ works fine

    4. City: City where company is located

    5. State: State where company is located

    6. Country: Country where company is located

      ssl2

  6. On the Cryptographic Service Provider Properties page, verify the below appears and click Next:

    ssl3

  7. Specify a file name and browse to a location where you want to save the CSR. If you do not specify a location, the CSR will be in C:\Windows\System32:

    ssl4

  8. Click Finish when completed. You will use this text file to submit your order to certificate registrar

  9. Reach out to registrar support to purchase a new Wildcard SSL for your certificate: *.domain.com

  10. After receiving your SSL certificate, save the SSL certificate .cer file in a location on CWMGR1 and follow the below steps.

Installing and configuring CSR:

  1. Connect to CWMGR1

  2. Open IIS Manager from Administrator Tools

  3. Select CWMGR1 and open ‘Server Certificates’

  4. Click on Complete Certificate Request in the Actions pane

    ssl5

  5. Complete the below fields in the Complete Certificate Request and click OK:

    ssl6

    1. File Name: Select .cer file that was saved previously

    2. Friendly name: *.domain.com

    3. Certificate store: Select either Web Hosting or Personal

Assigning SSL certificate:

  1. Verify that Migration Mode is not enabled. This can be found on the Workspace Overview page under Security Settings in VDS.

    ssl7

  2. Connect to CWMGR1

  3. Open IIS Manager from Administrator Tools

  4. Select CWMGR1 and open ‘Server Certificates’

  5. Click on Export in the Actions pane

  6. Export the certificate in .pfx format

  7. Create a password. Store password as it will be needed to import or re-use .pfx file in the future

  8. Save .pfx file to the C:\installs\RDPcert directory

  9. Click OK and close IIS Manager

    ssl8

  10. Open DCConfig

  11. Under Wildcard Certificate, update the Certificate path to new .pfx file

  12. Enter .pfx password when prompted

  13. Click Save

    ssl9

  14. If the certificate is valid for 30 more days, allow automation to apply the new certificate during the morning Daily Actions task throughout the week

  15. Periodically check the Platform servers to verify that the new certificate has propagated. Validate and test user connectivity to confirm.

    1. On the server, go to Admin Tools

    2. Select Remote Desktop Services > Remote Desktop Gateway Manager

    3. Right click on gateway server name, select Properties. Click on the SSL Certificate tab to review expiration date

      ssl10

  16. Periodically check the client VMs that are running the Connection Broker role

    1. Go to Server Manager > Remote Desktop Services

    2. Under Deployment Overview, select Tasks dropdown and choose Edit Deployment Properties

      ssl11

    3. Click on Certificates, select certificate and click View Details. Expiration date will be listed.

      ssl12

      ssl13

  17. If less than 30 days or you prefer to push out the new certificate immediately, force the update with TestVdcTools. This should be done during a maintenance window as connectivity for any users logged in and your connection to CWMGR1 will be lost.

    1. Go to C:\Program Files\CloudWorkspace\TestVdcTools, click the Operations tab and select the Wildcard Cert-Install command

    2. Leave the server field blank

    3. Check the Force box

    4. Click Execute Command

    5. Verify certificate propagates using the steps listed above

      ssl14