Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
A post-renewal script for Certify that replaces the Remote Desktop Gateway certificate.
by Colin Cogle <>
This program is free software: you can redistribute it and/or modify it under the terms
of the GNU General Public License as published by the Free Software Foundation, either
version 3 of the License. This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program.
If not, see <>.
This post-flight script for Certify replaces the Remote Desktop Gateway certificate.
This script is meant to be called after a renewal by Certify 3. If a certificate was successfully
issued by and retrieved from Let's Encrypt, this will assign it to Remote Desktop Gateway.
The certificate information returned by Certify.
This worked for me on Server 2012 R2. However, this script is provided as-is.
If you have a full-blown 2012/2016 Remote Desktop deployment, then you'll be able to use the example
on Certify's GitHub page to change the certificate (with the RemoteDesktop\Set-RDCertificate cmdlet).
This script is useful if you've installed only the Remote Desktop Gateway role, or if you're on a
downlevel version of Windows Server.
# Did the renewal succeed? If not, stop.
If (-Not $result.IsSuccess) {
# Call a 64-bit PowerShell session.
# Modules like RemoteDesktopServices are not available in 32-bit instance.
# See also:
. "${env:windir}\sysnative\WindowsPowerShell\v1.0\powershell.exe" -Args $result -Command {
$result = $args[0]
# Check and see if the Remote Desktop Services PowerShell module is available.
# We'll use it if we can -- it's simpler.
$RDSPath = "RDS:\GatewayServer\SSLCertificate\Thumbprint"
Import-Module -Name RemoteDesktopServices -ErrorAction SilentlyContinue
If (Test-Path -Path $RDSPath) {
Set-Item -Path $RDSPath -Value ($result.ManagedItem.CertificateThumbprintHash)
Else {
# The RDS PowerShell module must not be available, so let's go through WMI.
# First, though, we need to convert the thumbprint from a string into a byte array.
# Special thanks to:
$ByteArray = (($result.ManagedItem.CertificateThumbprintHash) -Split "(?<=\G\w{2})(?=\w{2})" | ForEach {[Convert]::ToByte($_,16)})
# I found out after significant poking and prodding that the settings are stored here,
# and though you can *read* the CertHash, the SetCertificate() method is the only way to change it.
$wmi = (Get-WmiObject -Class "Win32_TSGatewayServerSettings" -Namespace "root\cimv2\terminalservices")
# Changes don't take effect until the service is restarted, but this will temporarily disconnect
# all connected users. Comment this line if you don't want that to happen automatically.
Restart-Service -Name TSGateway -Force
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.