The following are step by step guides by product - NFA or NPC
NFA - Nerdio for Azure
- Download the Install_AutoCert.ps1 script from KB
- Ensure any server expected to update certificates is powered on and accessible (DC, FS, RDSCB, RDGW, RDSH, WS)
-
For AVD Environments, this includes DC & FS (no certificate replacement is needed on session host VMs)
-
For RDS Environments, this includes DC, FS, RDSCB, RDGW, RDSH, WS
-
- Run the script from DC01 as domain admin – the script will explicitly connect to each matching server to install and execute the AutoCert scheduled task.
- If ADFS is not currently functional on DC01, it will be skipped for this iteration
- Until we enable the live replacement from our side, it would not actually replace the live certificate, but continue checking nightly for our update
- (Optional) Verify each server has the CertificateReplacement scheduled task installed
- The day we toggle replacement ON, beginning that evening servers will pull & apply the updated certificate
NPC - Nerdio Private Cloud
- Download the Install_AutoCertNPC.ps1 script from KB
- Ensure any server expected to update certificates is powered on and accessible (DC, RDS, CM)
- Run the Install_AutoCertNPC.ps1 script from DC01 – the script will explicitly connect to each matching server to install and execute the AutoCert scheduled task.
- For this replacement (March 2021) it the replacement tasks are already live and it will run the actual certificate replacement
- CM* will schedule a reboot for 9:15PM server time the Saturday prior to expiration. If <7 days before expiration, CM* will instead schedule a reboot for the evening before expiration (3/19 at 9:15PM server time)
- Customers can modify the scheduled reboot by changing the scheduled task ‘CertificateReplacement – Reboot’ or initiating a reboot on their own to finalize the new certificate change.
-
Download the Install_AutoCertNPC_SG01.ps1 script from the KB and run on the SG* server.
- SG* will schedule a reboot for 9:30PM server time the Saturday prior to expiration. If <7 days before expiration, SG* will instead schedule a reboot for the evening before expiration (3/19 at 9:30PM server time)
- Customers can modify the scheduled reboot by changing the scheduled task ‘CertificateReplacement – Reboot’ or initiating a reboot on their own to finalize the new certificate change.
- SG* will schedule a reboot for 9:30PM server time the Saturday prior to expiration. If <7 days before expiration, SG* will instead schedule a reboot for the evening before expiration (3/19 at 9:30PM server time)
- (If PRX01 is used) Download the Install_AutoCertNPC_PRX.ps1 script from the KB and run on NPC PRX* server.
Nerdio Note
RDS Collection hosts do not require certificate updates since they communicate through the broker
PRX01 (DMZ) servers certificates for Nerdio for Azure (NFA) accounts will be updated by Nerdio
All future Nerdio deployments will include the Certificate Replacement task by default for both *.nerdio.net and *.adminportal.pro.
Noteworthy items:
- The Certificate Replacement task runs daily on each server and only replaces soon-to-expire certificates if they are *.nerdio.net or *.adminportal.pro, and actively in use for the required roles
- Certificates will only be replaced if they are in-use and expiring within the next 45 days (or already expired)
- All servers/workstations, including WS00, must be powered on when running the install script to successfully update and create the task. Once the replacement task is added, certificate replacement will occur as long as the VM is powered on during the daily task replacement window at some point
- Custom certificates (anything other than *.nerdio.net and *.adminportal.pro) are the partner’s responsibility to manage and will not be altered, replaced, or updated by this process
- Certificate replacement window occurs between 8:30pm and 9:30pm (based on the local time of the Azure VM) (NPC scheduled reboots will occur at 9:15pm - 9:30pm server time March 19th).
- Thin Clients: if using certificate-secured thin clients, you can download the appropriate new certificate (only applied to *.nerdio.net and *.adminportal.pro certificates) here.
Effects on the Nerdio environment during the replacement process
- Certificate replacement process happens once per certificate (annually)
- The DC01 scheduled certificate replacement task will restart the ADFS service for ~30 seconds. If you are using ADFS for authentication, new logins will not work during this short window, but existing sessions are unaffected.
- Thin client hardware must be updated by the partner with the new certificate before expiration
Certificates that get updated through automation:
- DC01: ADFS certificates (ADFS, ADFS service communication) TS certificate
- FS01: TS certificate
- PRX01: TS certificate, ASFS Certificate
- RDSH: TS certificate
- RDSCB01: TS certificate, RD Role certificates (Redirector, Publishing, WebAccess)
- RDGW01: TS cert, RDGW cert, RD Web Client Broker cert
- WSXX: TS cert
- SG01: TS cert
- CM01: TS cert
Additional information and general overview
Nerdio recommends monitoring the scheduled certificate replacement task via RMM and/or monitoring tools. It is also recommended to exclude the task and the script that it launched from any security applications.
What to expect for the Certificate Replacement Task:
- C:\AutoCert will be created on each server
- It will contain ExpiryCheck.ps1, which is called by the daily task
- If the expiration check returns true, Verification and Replacement scripts will run to update the appropriate certificates
Downloads for NFA
- nerdio.net.cer - certificate file - Current certificate for *nerdio.net
- adminportal.pro.cer -certificate file - Current certificate for *.adminportal.pro
- Install_AutoCert.ps1 - PowerShell script - Script to execute on DC01
Downloads for NPC
- nerdio.net.cer - certificate file - Current certificate for *nerdio.net
- Install_AutoCertNPC.ps1 - PowerShell script - Script to execute on DC
- Install_AutoCertNPCSG01 - PowerShell script - Script to execute on SG
- Install_AutoCertNPCPRX - PowerShell script - Script to execute on PRX
Comments (0 comments)