Just wanted to share this with the community in hopes it helps someone else in the same situation I was… before I put this together I was forced to manually enter the fingerprint into registry and set permissions
What this script will do is replace the fingerprint and set read permissions for ‘network service’ when you get a fresh certificate, instructions included… can be run as a deployment task (on success, of course)
I appreciate all feedback, perhaps how it could be improved?
Enjoy!
Interesting! So does the built-in “Deploy to RDP Listener Service” not work for you? It runs the following script: certify-plugins/RDPListenerService.ps1 at master · webprofusion/certify-plugins · GitHub
Note that if you run a powershell script task instead of a .bat script we automatically pass in the managed certificate details, including the thumbprint, to save you looking it up. Scripting | Certify The Web Docs
Honestly never even noticed that, at the bottom its noted “# TODO: need to set private key permissions?” but it does seem to give network service read permissions?
Looks like I may have wasted some time putting that script together, forgive my apparent ignorance 
Thanks, the private key permissions issue just depends on the accounts that are in use, most of the time you don’t need to set permissions but it depends on which service accounts are using the certificate (and whether they can in turn read the private key or not).