I setup a Remote Desktop Gateway for a customer a few weeks ago. During the setup, I was prompted to create a certificate for the server, but it was just a self-signed certificate. I need a certificate signed from my internal CA for testing with my laptop outside of the network. I originally created a computer certificate, but when I tried to connect it would not allow me to connect because the remote desktop gateway address did not match and name on the certificate. This was obvious because the internal domain is a domain.local address and I was trying to access ts.domain.com. Also, a computer certificate does not allow for subject alternate names. A web server certificate is the type of certificate to use when adding subject alternate names, but I was unable to create one for the computer account.
The solution is quite simple, change the permissions on the certificate template. [more]
- On your internal certificate authority, go to Start > Administrative Tools > Certificate Authority
- Expand your CA from the list > Right click Certificate Templates > Manage
- Right click Web Server > Properties
- Select the Security tab. Grant Domain Computers (or the specific computer) Read, Write, and Enroll permissions.
- Close all open windows.
- You can now request a certificate from the computer account based on the Web Server template.