SSL certificate terminal server / rds


I follow this link How to create an UCS-CA signed certificate for a non-UCS system within domain to generate a certificate for a remote desktop server.

Then i convert it to *.pfx so i can import it to rds, but i always get an error:

I was albe to import the same *.pfx into the iis and because i add the univention root ca into the server via gpo the iis works ok and the cert is trusted.

Only can’t put it to work in rds

This helped UCS 4.1 RootCA und Windows 2012 R2 Terminalserver Zertifikat

NOTE1: use google translator…

NOTE2: the wmic command have some bugs (maybe because forum migration as is an old post)

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash = "certfingerprint"

In /etc/univention/ssl/openssl.cnf if we add the line

extendedKeyUsage = serverAuth

The “normal” import solution in windows work out of the box, my question is why that option is missing in ucs 4.3? Can we keep it?
From the refered post i’m assuming that option already exists in ucs defaults…


Anyone from univention can comment on this?