With Microsoft deprecating SHA-1 I recently had to replace our RDS (Remote Desktop Services) environments certificates. This process was much easier than I expected, here are the steps I took.
1. Obtain your new certificate from a third-party vendor such as Go-Daddy. I used a wild card certificate in my environment. Info to create the cert request can be found here.
2. Import the new certificate and private key to the RDS Gateway, Connection Brokers and Licensing Servers Private Store.
Note: once i recieved the certificate back from Go-Daddy I had to import the crt file to the server I used to make the request and then export it to export with Private Key (.pfx file).
3. Connect to the Connection Broker and launch Server Manager.
4. On the overview page drop down Tasks and select 'Edit Deployment Properties'.
5. On the Certificates Tab go through each certificate and click select existing certificate. Then browse to your .pfx file and it should import successfully.
It did not kick off existing users in the RDS farm and did not require a reboot. To be safe i checked on the Gateway Servers settings and ensured the RDWeb Website was using the new Certificate.
Note: I did not have to do anything on the Connection Host Servers.