5.3.3.2 X.509 Certificate Chains
X.509-compliant certificates are issued to servers upon request by Domain or Enterprise License Servers and are required to issue client licenses (see [MS-RDPELE] for more information on RDP Licensing). An X.509 Certificate Chain consists of a collection of certificates concatenated together in root-certificate-first order. This eliminates the need to scan the chain to the end to get the root certificate for starting chain validation. The last certificate is the certificate of the server; the second-to-last is the license server's certificate, and so forth. More details on the structure of the chain and the component certificates are in [MS-RDPELE] section 2.2.1.4.2.
Servers send the X.509 Certificate Chain to clients in the Server Security Data (section 2.2.1.4.3) settings block during the Basic Settings Exchange phase of the RDP Connection Sequence (section 1.3.1.1). A server that has not yet been issued an X.509 Certificate Chain will fall back to using a Proprietary Certificate (section 2.2.1.4.3.1.1). Proprietary Certificates are always used when an RDP 4.0 client connects to a server (the client version can be determined from the Client Core Data (section 2.2.1.3.2)).