RDC (Remote Desktop Connection)
Origin: Me

If you always feel annoyed of clicking and accepting an unknown or at least untrusted SLL certificate on a RDP (Remote Desktop Protocol) connection negotiation, you can provide a SSL certificate at this place. This can either be a purchased one for your public domain or just a common, locally-used certificate.

This guide shows how to put your certificate to a Microsoft Windows Server 2016 Standard (Build 14393) RDP connection.

First of all: If you are just hosting an internal Windows server (either physically or on a virtual machine) without having access to the internet, you do not need a certificate at all - assuming you trust yourself and your Firewall. But since you provide your system to be accessible from another public network and others are using your server, you confirm them a secure connection and a secured transaction of their data.

Follow these steps to put a certificate to your RDP connection

  1. Think about a fitting domain name of your server. If the server will be provided to external useres, this is probably your public domain name (e.g. rdp.sbuechler.de) which is usually defined by the DNS name that you can set in your hosting provider management console. If it is provided internally, you can choose an arbitrary domain name (e.g.intern.myTest.de). You can set the domain name of your server in the computer properties.
  2. Create a certificate by creating it on your own with OpenSSL or let it be issued by a common Certificate Authority (like Let's encrypt, DigiSign, etc.). The Subject of the certificate must be equal to your domain name which you have defined in advance.
  3. Activate the RD license server: The RD (Remote Desktop) Services license server issues client access licenses (CALs) to users and devices when they access the RD Session Host. You can activate the license server by using the Remote Desktop Licensing Manager [2]
  4. If not done yet, you have to convert your certificate files into the industrial standard #PKCS12: How to convert certificate *.pem to *.pfx files (coming soon)
  5. Now you are able to install your converted certificate to the certificate store of your server. Make sure to install it at computer level, not at user level.
  6. In order to assign the imported certificate to your RDP connection, we first need the thumbprint of your certificate. Get it by executing the following command on your Windows Powershell:
    Get-ChildItem "Cert:\LocalMachine\My" 
    Save it to a temporary text file, we'll need it later.
  7. Now we extend the Path variable:
    $PATH = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices)
  8. The final step is to set our new certificate to be the active one of the RDP Listener. Make sure to replace the value of "SSLCertificateSHA1Hash by the value you previously stored in your temporary text file: 
    Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash="thumbprint"}
  9. Done! Your next connection attempt over RDP will no longer prompt you to trust an untrusted or unavailable SSL certificate.


Props go out to Bogdan Lashkov who has figured out this workaround [1].



[1]: Serverfault.com - how-install-ssl-certificate-for-rds-on-windows-server-2016


Related / Read more

Save RDP file (winaero.com)

RDS Activate License Server

See also

  • OpenSSL
    How to create your own PKI with OpenSSL

    Have you ever wanted to create your own PKI (Public Key Infrastructure), including Root-CA and several Intermediate CAs, a working OCSP-Responder and a client certificate generator?

    You don't want to dig too deep into the details of OpenSSL, instead just start setting up your PKI running a couple of scripts?

  • Indikatorenverlauf
    Masterarbeit: Berechnung von Qualitätsindikatoren

    Meine Studienlaufbahn und somit auch das Masterstudium der Fachrichtung Medizininformatik an der OTH Regensburg wird mit der Masterarbeit abgeschlossen.

    Ihr Titel lautet "Entwicklung einer datenschutzkonformen Client-Server-Infrastruktur zur Berechnung von Qualitätsindikatoren der ambulanten Versorgung in heterogenen Praxisnetzen".

    Die in diesem Rahmen entwickelte Software bietet niedergelassenen Haus- und Fachärzten die Möglichkeit, die Versorgung ihrer Patienten durch die Analyse von Qualitätsindikatoren zu verbessern.

  • Windows 10
    Windows 10: Konfiguration der Indizierung

    Manchmal scheint es so, als wären altbekannte und für selbstverständlich angenommene Features beim Update auf eine neue Version verschwunden bzw. sehr, sehr gut versteckt worden. So auch - wie ich leidlich feststellen musste - bei der Dateisuche des Betriebssystems. War sie bei Windows XP, Vista, 7 und 8 noch einigermaßen intuitiv bedienbar, gucken wir bei der aktuellen Windows-Version 10 in die Röhre.

Cookies make it easier for us to provide you with our services. With the usage of our services you permit us to use cookies.