There are two good guides on how to install a commercial certificate, to replace the self-signed generated by Remote Desktop Services, and avoid warning messages, but they both leave steps out. Here are all the steps.
1. Generate a private key and certificate request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
2. Get it signed by a commercial certificate authority
3. Convert your key, certificate, and Certificate Authority chain to a pfx file for Windows
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Don’t double-click the resultant “certificate.pfx” file. It will always put it into your personal certificate store, when you want it in the computer certificate store.
4. Install certificate – Open command-line, mmc, Add/Remove snap-in, Certificates, Computer Account, Local Computer
Expand Certificates (Local Computer), Personal, Certificates. Right click in right pane, All Tasks, Import…
Import your pfx file. Make sure the private key is included.
5. You need the thumbprint of the certificate. Double-click the certificate to view it in the mmc, and choose the Details tab. At the bottom is the Thumbprint. Copy it to Notepad, and remove the Question mark at the beginning, and all the spaces. It should be a string like “6adbb56632cc476ad790d899f2c34c42c1881590”
6. This link explains the command to use the CA cert instead of the self-signed, http://www.weaklink.org/2015/05/tls-certificate-for-windows-88-1-remote-desktop-service/
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "SSLCertificateSHA1Hash" /t REG_BINARY /d 6adbb56632cc476ad790d899f2c34c42c1881590
7. You must also allow the RDP service the rights to view the private key. Microsoft explains the ACL necessary, https://support.microsoft.com/en-us/kb/2001849
Click Start, click Run, type mmc, and click OK.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.
In the Certificates snap-in dialog box, click Computer account, and click Next.
In the Select Computer dialog box, click Local computer: (the computer this console is running on), and clickFinish.
In the Add or Remove Snap-ins dialog box, click OK.
In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.
Restart Remote Desktop Services, or Restart the computer, and the next time you use the RDP, it will not complain about the certificate.