By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between Remote Desktop Services clients and RD Gateway servers over the Internet. For TLS to function correctly, you must install a Secure Sockets Layer-compatible X.509 certificate on the RD Gateway server.
You can obtain a certificate in one of the following ways:
- You can generate and submit a certificate request to obtain a certificate from a stand-alone or an enterprise certification authority (CA).
- You can purchase a certificate (or obtain one at no cost on a trial basis) from one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program [as listed in article 931125 in the Microsoft Knowledge Base (
https://go.microsoft.com/fwlink/?LinkID=59547 )]. - You can use the Add Roles Wizard to create a self-signed certificate when you install the RD Gateway role service, or you can use Remote Desktop Gateway Manager to do this after RD Gateway is installed.
 | Note |
We recommend that you use a self-signed certificate only for testing and evaluation purposes. |
For more information about RD Gateway, see the Remote Desktop Services page on the Windows Server 2008 R2 TechCenter (
This section describes certificate requirements for the RD Gateway server and provides more information about the different methods that you can use to obtain a certificate. The following topics are covered: