Update Clientless RDP SSL Certificate

Table of Contents


This article only applies if you host your Clientless RDP gateway yourself. Gateways hosted by us have SSL certificates managed by us, which are automatically renewed when necessary. The gateway will be down for a couple of minutes while replacing the certificate.


The Clientless RDP gateway requires a valid SSL certificate for CRDP to work. When the certificate has expired, you need to replace it on the Clientless RDP gateway. For this, you can use Let's Encrypt. In this article, we explain how.

A check is required if a CAA record is active on the domain, but the CAA record itself is not required. To verify if a domain has a CAA record active, you can use DNS CAA Tester. Also, a CNAME record is not required for Clientless RDP.


Update the certificate

In summary, follow the steps below. Go to the step-by-step instructions section for more detailed information.

Ubuntu 18.04 = Tomcat 8
Ubuntu 20.04 = Tomcat 9

  • Please make sure to rename the new certificate name to clientlessrdpcert.pfx. 
  • Open a session to the Clientless RDP Gateway and run the following commands: 
cd /etc/tomcat? 
sudo rm -r clientlessrdpcert.pfx 
sudo wget urltocertificate -O clientlessrdpcert.pfx 
sudo nano server.xml 
  • Search for the connector listening on 8443. Scroll to the right and update the password. 
sudo service tomcat? restart 
Please do not use special characters in your certificate password. Instead, use a password with 16 or more lowercase letters, uppercase letters and digits.

Back to top


Step-by-step instructions

1. Make sure the new certificate is in the root directory

  • You can use WinSCP to import the certificate into the root of the Clientless RDP machine.
  • You can use Wget to download the certificate from another location.
  • Please make sure to rename the new certificate name to clientlessrdpcert.pfx.

2. Remove the old certificate

  • Open a session to the Clientless RDP Gateway and run the following commands ("tomcat?" can be either 8 or 9):
cd /etc/tomcat?/
  • Type LS to check if the certificate is in the folder.
  • Remove the certificate: 
sudo rm clientlessrdpcert.pfx
  • Type LS to make sure the certificate is removed.
  • Go back to the root and copy the certificate into the Tomcat? folder by using the following command:
sudo cp CERTIFICATENAME /etc/tomcat?/clientlessrdpcert.pfx
  • Go back to /etc/tomcat?/ to make sure the certificate is in the folder.

3. Different password of the clientless RDP certificate? Change the following:

sudo nano /etc/tomcat?/server.xml
  • Go down until you see the connector port="8443". 
  • Scroll to the right and change the password (keystorePass) or press CTRL + W to find the password.
  • Save the server.xml. 

4. Restart Tomcat services

sudo service tomcat? restart
  • You can schedule the restart of Tomcat with:
sudo service tomcat? restart | at 23:30
  • Now test the gateway and certificate. 

Back to top