Apply a single wildcard PFX certificate to every Remote Desktop Services 2012 role (RD Publishing, RD Web Access, RD Connection Broker / Redirector, and RD Gateway) from one PowerShell script. Run on the Connection Broker, point it at the PFX, supply the password as a SecureString, and the script idempotently rolls the certificate to all selected roles.
This script is for Remote Desktop Services 2012 / 2012 R2 administrators who use a wildcard certificate (for example *.contoso.com) and want to roll it onto every RDS role from one place. Run it on the RD Connection Broker after copying the PFX locally, and the deployment ends with the same trusted certificate on RD Publishing, RD Web Access, the RD Connection Broker (Redirector) and the RD Gateway.
What the script does
- Validates the PFX file path exists before doing anything mutative.
- Imports the PFX into
Cert:\LocalMachine\Myso it is available to the RDS roles. - Iterates over each RDS role and calls
Set-RDCertificateagainst the broker FQDN. - Uses
-Forceto suppress confirmation prompts so it can run unattended. - Requires the
RemoteDesktopPowerShell module (installed with the RDCB role) and thePKImodule (built into Windows Server 2012 R2+).
PowerShell
#requires -RunAsAdministrator
#requires -Modules RemoteDesktop, PKI
<#
.SYNOPSIS
Deploys a single wildcard PFX certificate to all Remote Desktop Services
2012 / 2012 R2 roles from the Connection Broker.
.DESCRIPTION
Imports the supplied wildcard PFX into the local machine store and
applies it to each requested RDS role via Set-RDCertificate. Defaults
to all four roles: RDPublishing, RDWebAccess, RDRedirector, RDGateway.
.PARAMETER PfxPath
Path to the wildcard PFX file. Local paths are recommended (for example
C:\Cert\RDS\wildcard.contoso.com.pfx).
.PARAMETER PfxPassword
The PFX password as a SecureString. Use Read-Host -AsSecureString to
prompt interactively, or supply via a vault / secret manager.
.PARAMETER ConnectionBroker
Fully qualified domain name of the RD Connection Broker. Use the FQDN
of the server, not the high-availability round-robin DNS name.
.PARAMETER Roles
One or more RDS roles to apply the certificate to. Defaults to all four.
.EXAMPLE
$pw = Read-Host 'PFX password' -AsSecureString
Set-RdsWildcardCertificate `
-PfxPath 'C:\Cert\RDS\wildcard.contoso.com.pfx' `
-PfxPassword $pw `
-ConnectionBroker 'rdcb01.contoso.com'
.NOTES
Run this script on the RD Connection Broker. The RemoteDesktop module
is installed by the RDCB role.
#>
function Set-RdsWildcardCertificate {
[CmdletBinding()]
param(
[Parameter(Mandatory)]
[string]$PfxPath,
[Parameter(Mandatory)]
[SecureString]$PfxPassword,
[Parameter(Mandatory)]
[string]$ConnectionBroker,
[ValidateSet('RDPublishing', 'RDWebAccess', 'RDRedirector', 'RDGateway')]
[string[]]$Roles = @('RDPublishing', 'RDWebAccess', 'RDRedirector', 'RDGateway')
)
# 1. Sanity check the PFX path.
if (-not (Test-Path -LiteralPath $PfxPath -PathType Leaf)) {
throw "PFX not found at '$PfxPath'. Copy the file locally first."
}
# 2. Import the PFX into the local machine personal store if not already there.
# Set-RDCertificate will also import via -ImportPath, but pre-importing
# makes the thumbprint visible for verification and lets the script fail
# fast if the password is wrong.
Write-Host "Importing $PfxPath into Cert:\LocalMachine\My ..." -ForegroundColor Cyan
$imported = Import-PfxCertificate `
-FilePath $PfxPath `
-Password $PfxPassword `
-CertStoreLocation Cert:\LocalMachine\My `
-Exportable `
-ErrorAction Stop
Write-Host ("Imported certificate. Thumbprint: {0}" -f $imported.Thumbprint) -ForegroundColor Green
# 3. Apply to each role.
foreach ($role in $Roles) {
Write-Host "Applying certificate to role: $role" -ForegroundColor Cyan
try {
Set-RDCertificate `
-Role $role `
-ImportPath $PfxPath `
-Password $PfxPassword `
-ConnectionBroker $ConnectionBroker `
-Force `
-ErrorAction Stop
Write-Host " Success: $role" -ForegroundColor Green
}
catch {
Write-Warning " Failed to apply certificate to $role : $($_.Exception.Message)"
}
}
Write-Host "`nReview the deployment with:" -ForegroundColor Cyan
Write-Host " Get-RDCertificate -ConnectionBroker $ConnectionBroker | Format-Table Role, Level, ExpiresOn, Thumbprint"
}
How to use it
# Run on the RD Connection Broker, elevated:
$pw = Read-Host 'PFX password' -AsSecureString
. .\Set-RdsWildcardCertificate.ps1
Set-RdsWildcardCertificate `
-PfxPath 'C:\Cert\RDS\wildcard.contoso.com.pfx' `
-PfxPassword $pw `
-ConnectionBroker 'rdcb01.contoso.com' `
-Verbose
To roll only a subset of roles (for example to re-deploy just RD Gateway and RD Web Access without touching publishing and redirector), pass -Roles:
Set-RdsWildcardCertificate `
-PfxPath 'C:\Cert\RDS\wildcard.contoso.com.pfx' `
-PfxPassword $pw `
-ConnectionBroker 'rdcb01.contoso.com' `
-Roles 'RDWebAccess', 'RDGateway'
Security notes
- Never check the PFX into source control. Stage it under
C:\Cert\RDS\and remove the file after deployment, or load it from a secrets vault. - Always supply the password as a SecureString. Avoid command-history exposure:
Read-Host -AsSecureStringprompts without echo, and the string never appears as plain text inGet-Historyoutput. - Use the broker FQDN, not the HA / round-robin name.
Set-RDCertificateresolves the broker via its actual server FQDN; a load-balanced name can land on the wrong node mid-run. - Plan for rollback. Keep the previous certificate exported as PFX so you can re-run the script with the older file if a renewal causes client issues.
- Restart RDS services where needed. RD Gateway changes are picked up immediately, but a manual
Restart-Service TermServiceon Session Hosts after a publishing change can clear stale RDP connection caches.
Original 2014 script
The original 2014 download was hosted on TechNet Gallery (now retired). The function above reproduces its behaviour using the documented RDS 2012 cmdlets (Set-RDCertificate) and adds parameter validation, a thumbprint capture step, and explicit -ErrorAction Stop so a single failed role does not silently leave the deployment in a mixed state.
