A post-renewal script for Certify that replaces the Remote Desktop Gateway certificate.

Replace-RDGatewayCertificate.ps1

<#
Replace-RDGatewayCertificate.ps1
Version 1.0.1 -- fixed my bad grammar
by Colin Cogle <colin@colincogle.name>

This program is free software: you can redistribute it and/or modify it under the terms
of the GNU General Public License as published by the Free Software Foundation,  either
version 3 of the License.  This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program.
If not, see <https://www.gnu.org/licenses/gpl-3.0.en.html>.
#>

<#
.SYNOPSIS
This post-flight script for Certify replaces the Remote Desktop Gateway certificate.

.DESCRIPTION
This script is meant to be called after a renewal by Certify 3. If a certificate was successfully
issued by and retrieved from Let's Encrypt, this will assign it to Remote Desktop Gateway.

.PARAMETER result
The certificate information returned by Certify.

.COMPONENT
RemoteDesktopServices

.LINK
https://gist.github.com/rhymeswithmogul/1cf289ab5affa35b02f664c0a359be57

.NOTES
This worked for me on Server 2012 R2.  However, this script is provided as-is.

If you have a full-blown 2012/2016 Remote Desktop deployment, then you'll be able to use the example
on Certify's GitHub page to change the certificate (with the RemoteDesktop\Set-RDCertificate cmdlet).
This script is useful if you've installed only the Remote Desktop Gateway role, or if you're on a
downlevel version of Windows Server.
#>

Param(
  [Parameter(Mandatory=$true)]$result
)

# Did the renewal succeed?  If not, stop.
If (-Not $result.IsSuccess) {
  Exit
}

# Call a 64-bit PowerShell session.
# Modules like RemoteDesktopServices are not available in a 32-bit instance.
# See also: https://github.com/webprofusion/certify/blob/master/docs/Request%20Script%20Hooks.md
. "${env:windir}\sysnative\WindowsPowerShell\v1.0\powershell.exe" -Args $result -Command {
  $result = $args[0]
     
  # Check and see if the Remote Desktop Services PowerShell module is available.
  # We'll use it if we can -- it's simpler.
  $RDSPath = "RDS:\GatewayServer\SSLCertificate\Thumbprint"
  Import-Module -Name RemoteDesktopServices -ErrorAction SilentlyContinue 
  If (Test-Path -Path $RDSPath) {
    Set-Item -Path $RDSPath -Value ($result.ManagedItem.CertificateThumbprintHash)
  }
  Else {
    # The RDS PowerShell module must not be available, so let's go through WMI.
    # First, though, we need to convert the thumbprint from a string into a byte array.
    # Special thanks to: http://www.beefycode.com/post/Convert-FromHex-PowerShell-Filter.aspx
    $ByteArray = (($result.ManagedItem.CertificateThumbprintHash) -Split "(?<=\G\w{2})(?=\w{2})" | ForEach {[Convert]::ToByte($_,16)})

    # I found out after significant poking and prodding that the settings are stored here,
    # and though you can *read* the CertHash, the SetCertificate() method is the only way to change it.
    $wmi = (Get-WmiObject -Class "Win32_TSGatewayServerSettings" -Namespace "root\cimv2\terminalservices")
    $wmi.SetCertificate($ByteArray)
  }

  # Changes don't take effect until the service is restarted, but this will temporarily disconnect
  # all connected users.  Comment this line if you don't want that to happen automatically.
  Restart-Service -Name TSGateway -Force
}