Problem:
Your AWS loadbalancer certificate is about to expire and you need to supply a new one to it and to an RDP gateway and session host servers.
Solution:
To renew the GoDaddy certificate.
1. Log in to your GoDaddy account and open the remote.contoso.com certificate
2. Do one of the following:
If the billing for your renewal is already completed, skip to the next step.
Click Renew to purchase a renewal credit and then click Checkout. Complete the transaction for your renewal, and then return to your list of common names.
3. Select the option which you want to use for requesting your renewed certificate, and then click Request Certificate.
Generate a CSR using openssl, edit the C:\OpenSSL\bin\openssl.cfg file with your server details as below.
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:remote.contoso.com, DNS: rdgw02.contoso.com, DNS:rdgw01.contoso.com [ req_distinguished_name ] countryName = UK stateOrProvinceName = London localityName = London 0.organizationName = MyCompany organizationalUnitName = MyCompany commonName = remote.contoso.com
Then run the below command. Please note that the key file below should contain your private key which you should have saved somewhere safe.
Then Add the CSR to the GoDaddy console.
If you lose the private key you will need to choose Re-key from the GoDaddy console and then run the below commands.
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg openssl rsa -in remote-orig.key -out remote.key
You can then import the CSR into GoDaddy which will contain the new private key.
GoDaddy will then email you when the new certificate is ready. You can then import this to the AWS Loadbalancer as below:
You then need to import the certificates in to the remote desktop gateway servers. To do this you will need the certificate from GoDaddy and key file. Run the command below and copy the .pfx file to the gateway servers. You will need to choose an export password.
openssl pkcs12 -export -out certificate.pfx -inkey "C:\Temp\remote.key" -in " C:\Temp\remote.crt"
Enter Export Password:
Verifying – Enter Export Password:
Import the .pfx file to both rdgw01.contoso.com and rdgw02.contoso.com you will need to enter the password you just created.
Then on each remote desktop server import the certificate
