Add a certificate to an Advanced Server Access gateway
This topic explains how to create a certificate for using LDAP and RDP options on an Advanced Server Access gateways. This certificate must be PEM (Base-64) encoded and include the public key of the Root Certification Authority (Root CA) used to issue certificates to domain computers. This process requires admin permissions on the Active Directory (AD) domain and the gateway.
Additionally, you must also create a server authentication certificate on your Windows device.
Apply this configuration only if enterprise-managed certificates are already in place in the RDP listener. By default, this configuration uses a self-signed certificate.
- Access the Root CA domain certificate.
- Sign in to the Root CA for the domain.
- Go to .
- Right-click the Certification Authority in the left panel and select Properties. A properties window opens.
- In the General tab, click View Certificate. The Certificate window opens.
- In the Details tab, click Copy to file.
- Export the certificate.
- From the Certificate Export Wizard, click Next.
- Select Base-64 encoded X.509 and click Next.
- Click Browse to specify a path, and then click Next.
Okta recommends that teams use a standard naming structure that allows them to easily identify the exported certificate. - Click Finish.
- Open the exported certificate and copy the content.
- Configure the Advanced Server Access gateway.
- Sign in to the gateway.
- Create a new trusted certs directory.
mkdir -p /etc/sft/trustedcerts - Create a certificate file.
touch /etc/sft/trustedcerts/<domainname>.pem - Open the created file and paste the content from the exported AD certificate.
- Configure the TrustedCAsDir option for RDP and LDAP. See Configure the Advanced Server Access gateway.
- Restart the sft-gatewayd service.
Create a Server Authentication Certification
Follow the steps in Create a Server Authentication certificate topic in the Microsoft documentation. The steps may differ depending on the version of Windows you're using.