Jump to content
Welcome to our new Citrix community!
  • 0

VDA RDP SSL certificates


Chris Gundry

Question

Hi all

 

This is not really a Citrix question, but because it relates to VDAs I wondered if anyone else had any useful info on the subject?

 

We have a company wide policy to deploy RDP SSL certificates via GPO. This means that when a machine starts up, it gets the GPO, which tells it to request a cert from the local CA, which it does and then applies it to RDP on the local machine. This applies to workstations with RDP enabled, and also to servers with RDP enabled. We use VDAs generated by MCS for our catalogues. Because the VDAs have RDP enabled they get this policy and request a cert.

 

This works fine, except that each time the machine starts up it requests a new certificate from the CA, so we have a LOT of certs requested by the VDAs each time they restart, then those certs sit around in the CA causing a mess... I am not sure why they are re-requesting a cert each time they restart as other servers restart and don't request a new cert. So I can only assume it is part of the provisioning/OOB experience or something that is causing it to see it as a new machine and request 

 

Does anyone else actually use SSL certs for RDP and if so how do you handle this for the VDA servers which restart and request a new cert as above? The only thing I have a the moment would be to filter out the VDAs from the policy, which I don't really want to do.

 

Thanks!

Link to comment

2 answers to this question

Recommended Posts

  • 0

I assume these must be non-persistent MCS machines, so they will revert to the master image every time they restart - which is why they lose the certificates and request new ones.  I don't really see any way around that, if you want to keep the VDAs in scope for that policy.

 

If it were me, I think I would look at it from the other side - scripting a cleanup of redundant certificates on the CA.

Link to comment
  • 0
1 minute ago, Michael Burnstead1709159565 said:

I assume these must be non-persistent MCS machines, so they will revert to the master image every time they restart - which is why they lose the certificates and request new ones.  I don't really see any way around that, if you want to keep the VDAs in scope for that policy.

 

If it were me, I think I would look at it from the other side - scripting a cleanup of redundant certificates on the CA.

 

Thanks for the reply. Yeah, that is where I ended up really... Just wanted to see if anyone else had handled it in any different ways. I really need to leave the policy in place, so think the cleanup is the only other way really.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...