To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the Connection Server or security server computer on which the PSG is running.
If you intend the PSG to use a unique certificate, you must import the certificate into the Windows local computer certificate store with an exportable private key and set the appropriate Friendly name.
If you intend the PSG to use the same certificate as the server, you do not have to follow this procedure. However, in the Windows registry you must set the server name to match the server certificate subject name and set the Friendly name to vdm.
Prerequisites
- Verify that the key length is at least 1024 bits.
- Verify that the TLS certificate is valid. The current time on the server computer must be within the certificate start and end dates.
- Verify that the certificate subject name or a subject alternate name matches the SSLCertPsgSni setting in the Windows registry. See Verify That the Server Name Matches the PSG Certificate Subject Name.
- Verify that the Certificate snap-in was added to MMC. See Add the Certificate Snap-In to MMC.
- Familiarize yourself with importing a certificate into the Windows certificate store. See Import a Signed Server Certificate into a Windows Certificate Store.
- Familiarize yourself with modifying the certificate Friendly name. See Modify the Certificate Friendly Name.
Procedure
Results
What to do next
Configure the certificate Friendly name in the Windows registry.