Submit a request

Nerdio Help Center

SSL Certificate Maintenance - Step-by-step guide

  • Download the Install.ps1 script  
  • Run the Install.ps1 as a domain administrator on DC01 in your Azure environment 
  • Confirm that the “Certificate Replacement” scheduled task was created on the following Azure machines (make sure to run Task Scheduler as an administrator) 
    • DC01
    • RDSHXX
    • RDSCB01
    • RDGW01
    • WS00 and all existing VDI desktops


Nerdio Note

RDS Collection hosts do not require certificate updates since they communicate through the broker

PRX01 (DMZ) server certificates will be updated by Nerdio

All future Nerdio deployments will include the Certificate Replacement task by default


  • The Certificate Replacement task runs daily on each server and only replaces soon-to-expire certificates if they are * or *, and actively in use for the required roles
  • Certificates will only be replaced if they are in-use and expiring within the next 45 days (or already expired)
  • All servers/workstations, including WS00, must be powered on when running the install script to successfully update and create the task. Once the replacement task is added, certificate replacement will occur as long as the VM is powered on during the daily task replacement window at some point
  • Custom certificates (anything other than * and * are the partner’s responsibility to manage and will not be altered, replaced, or updated by this process
  • Certificate replacement window occurs between 7:30pm and 9:30pm (based on the local time of the Azure VM)
  • Thin Clients: if using certificate-secured thin clients, you can download the appropriate new certificate (only applied to * and * certificates) here


Effects on the Nerdio environment during the replacement process 

  • Certificate replacement process happens once per certificate (roughly every two years)
  • The DC01 scheduled certificate replacement task will restart the ADFS service for ~30 seconds.  If you are using ADFS for authentication, new logins will not work during this short window, but existing sessions are unaffected.
  • Thin client hardware must be updated by the partner with the new certificate before expiration 

Certificates that get updated through automation: 

  • DC01: ADFS certificates (ADFS, ADFS service communicationTS certificate 
  • RDSH: TS certificate 
  • RDSCB01: TS certificate, RD Role certificates (Redirector, Publishing, WebAccess) 
  • RDGW01: TS cert, RDGW cert, RD Web Client Broker cert
  • WSXX: TS cert


Additional information and general overview

Nerdio recommends monitoring the scheduled certificate replacement task via RMM and/or monitoring tools. It is also recommended to exclude the task and the script that it launched from any security applications.  

What to expect for the Certificate Replacement Task: 

  • C:\AutoCert will be created on each server 
  • It will contain ExpiryCheck.ps1, which is called by the daily task 
  • If the expiration check returns true, Verification and Replacement scripts will run to update the appropriate certificates 



  1. - certificate file - Current certificate for *
  2. - certificate file - New certificate for *
  3. Install.ps1 - PowerShell script - Script to execute on DC01


Was this article helpful?
0 out of 0 found this helpful


Article is closed for comments.