Powershell: install RDS Terminal Server Gateway SSL Certificate

Question

I have a very simple Powershell script to renew SSL certificates. We are using short duration SSL and this is a repetitive process. On our TSG (Terminal Server Gateway), I automated the IIS certificate portion without a glitch, however I'm having issues doing the same on the gateway.

I attempted two options:

# $NewThumb obtained elsewhere from the certificate 
$settings = Get-WmiObject                                   `
            -class          "Win32_TSGatewayServerSettings" `
            -namespace      "root\cimv2\TerminalServices"   `
            -ComputerName   "localhost"                     `
            -Authentication 6 -ErrorAction SilentlyContinue
if ($settings){
    $h="Not Available"
    $settings | fl  # test ONE
    if ($settings.CertHash){
        # convert binary to hex ascii
        $h=""; $settings.CertHash | % {$H+=$_.Tostring("X2") }
    }
    write-host "TH: $NewThumb CH: $h"
    if ($NewThumb -eq $h){
        write-host "We have the correct certificate"
    }else {
    # convert back to byte array 
    $certthumbprint= for ( $i=0; $i -lt $NewThumb.length; $i+=2) { [System.Convert]::ToByte($NewThumb.Substring( $i,2),16) } 
    $settings.SetCertificate($certthumbprint) | Out-Null
    # test if change is effective
    $settings = Get-WmiObject                           -class "Win32_TSGatewayServerSettings"
        -namespace      "root\cimv2\TerminalServices"   -ComputerName "localhost"
        -Authentication 6 -ErrorAction SilentlyContinue
    $settings | fl
    write-host "$($MySelf) New SSL Certificate Installed."
}

Result, BEFORE

__GENUS                         : 2
__CLASS                         : Win32_TSGatewayServerSettings
__SUPERCLASS                    : 
__DYNASTY                       : Win32_TSGatewayServerSettings
__RELPATH                       : Win32_TSGatewayServerSettings.MaxConnections=4294967295
__PROPERTY_COUNT                : 23
__DERIVATION                    : {}
__SERVER                        : TSG
__NAMESPACE                     : root\cimv2\TerminalServices
__PATH                          :\\TSG\root\cimv2\TerminalServ......
adminMessageEndTime             :
adminMessageStartTime           : 
adminMessageText                :
AuthenticationPluginCLSID       : 
AuthenticationPluginDescription :
AuthenticationPluginName        : native
AuthorizationPluginCLSID        :  
AuthorizationPluginDescription  :
AuthorizationPluginName         : native  
CentralCAPEnabled               : False
CertHash                        : 
consentMessageText              :  
EnforceChannelBinding           : True
IsConfigured                    : True
MaxConnections                  : 4294967295 
MaximumAllowedConnectionsBySku  : 4294967295
MaxLogEvents                    : 7
MaxProtocols                    : 2
OnlyConsentCapableClients       : False
RequestSOH                      : False
SkuName                         : Windows Server Datacenter
SslBridging                     : 0 
UnlimitedConnections            : True
PSComputerName                  : TSG

Result, AFTER

..... removed
CertHash                        : {185, 13, 12, 196...}
..... removed

now,the second option (elegant, less code):

# $NewThumb obtained elsewhere from the certificate 
Import-Module RemoteDesktopServices -ErrorAction SilentlyContinue
write-host "Before"
$th=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl  
Set-Item RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $NewThumb 
write-host "after"    
$TH=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl  

Before

certhash
NULL

After

certhash
{185, 13, 12, 196...}

My issue is that when run, either methods, the Thumbprint is correctly set and display on both 'After', but, if I run the script again, on both cases the Thumbprint is initially NULL. Looks like a missing 'commit' on SQL.

I'm running this remotely on invoke-command on the tsg server.

Answer 1

You need to ensure the TSGateway service is stopped before you set the thumbprint. So in your second example you should do:

# $NewThumb obtained elsewhere from the certificate 
Import-Module RemoteDesktopServices -ErrorAction SilentlyContinue
Stop-Service TSGateway
write-host "Before"
$th=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl  
Set-Item RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $NewThumb
Start-Service TSGateway 
write-host "after"    
$TH=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl

This is sadly not documented but this has been my experience after setting this up internally at Microsoft.

Answer 2

You can use the RemoteDesktop module commands to install this cert for you

Either load from PFX file on disk

$Password = ConvertTo-SecureString -String "yourPFXpassword" -AsPlainText -Force
Set-RDCertificate -Role RDGateway -ImportPath "C:\Certificates\NewCert.pfx" -Password $Password

Or load from cert already in your cert store

Set-RDCertificate -Role RDGateway -Thumbprint aedd995b45e633d4ef30fcbc8f3a48b627e9a28c

From https://docs.microsoft.com/en-us/powershell/module/remotedesktop/set-rdcertificate?view=winserver2012r2-ps