locked
2 separate certificates on Public and private IP addresses. RRS feed

  • Question

  • Hello,

    we have servers with private and public IPs at the same time(using 1 NIC).

    I am able to connect to it using hostnames: host123.companydaomin.com or host123.windowsdomain.local

    for the second option we have applied the certificate host123.windowsdomain.local but we still need to have the ability to use another certificate which will cover name  host123.companydaomin.com.

    Is it possible to do it in windows 2012 r2?

    One certificate can be mapped using steps from this link https://support.microsoft.com/en-us/help/3042780/remote-desktop-listener-certificate-configurations-in-windows-server-2

    but I need 2.



    • Edited by Vasily_K_ Tuesday, January 22, 2019 12:01 PM removed html tags
    Tuesday, January 22, 2019 11:59 AM

Answers

  • Hi,

    There is no ability to configure multiple certificates for a single listener.  What I would recommend is to configure a certificate issued from a trusted public authority such as GlobalSign, Thawte, Let's Encrypt, GeoTrust, DigiCert, Comodo, etc., and use that for internal and external use cases.  To use your example you would obtain a certificate for host123.companydomain.com or wildcard *.companydomain.com.

    You can use Set-RDPublishedName script to change the FQDN that is used for the deployment to broker.companydomain.com instead of broker.windowsdomain.local.  On your internal network you would create DNS A record for broker.companydomain.com and point it to the private ip address of your broker.

    -TP

    • Proposed as answer by NM[] Tuesday, January 22, 2019 6:44 PM
    • Marked as answer by TP []MVP Thursday, February 28, 2019 11:59 PM
    Tuesday, January 22, 2019 12:38 PM

All replies

  • Hi,

    There is no ability to configure multiple certificates for a single listener.  What I would recommend is to configure a certificate issued from a trusted public authority such as GlobalSign, Thawte, Let's Encrypt, GeoTrust, DigiCert, Comodo, etc., and use that for internal and external use cases.  To use your example you would obtain a certificate for host123.companydomain.com or wildcard *.companydomain.com.

    You can use Set-RDPublishedName script to change the FQDN that is used for the deployment to broker.companydomain.com instead of broker.windowsdomain.local.  On your internal network you would create DNS A record for broker.companydomain.com and point it to the private ip address of your broker.

    -TP

    • Proposed as answer by NM[] Tuesday, January 22, 2019 6:44 PM
    • Marked as answer by TP []MVP Thursday, February 28, 2019 11:59 PM
    Tuesday, January 22, 2019 12:38 PM
  • hi,
    I agree with Mr TP.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, January 23, 2019 10:43 AM