Right first of all i've got to admit, certificates are not my strong point.

I've got a TS RemoteApp server, apps are published to a .rdp file which is sat on my home access plus page so people can just click them and login to load an application. My problem though is that i'm presented with a popup box that says "The publisher of this RemoteApp program cannot be identified." Obviously users can just click connect to bypass it but i'd like to do this properly and get rid of it altogether.

The "Remote computer" is going to "mail.domain.net" this has an address that is forwarded through ISA to the relevant server and port.
The "Gateway server" is going to "tsgateway.domain.local" this server is the server mail.domain.net is going to, where mail.domain.net is the external name of this server if you will.

Everything is using self signed certificates which i assume is the issue, i have a *.domain.net wildcard certificate but i think i need a different certificate in order to do what i want as i can't select that one when it asks me to sign the .rdp file with a certificate.

Am i right in thinking i need to buy a certificate specific for that server in order to sign the .rdp files with it and have that popup not appear every time?