When I connect to a Windows Machine via Remote Desktop Connection, I always get a wrong-cert warning. This is annoying!
It was never so easy to get free certs as it is today. I have used the services of startssl.com and letsencrypt.org which have both their pros and cons. At work we also have commercial certs. Whatever you choose is up to you.
I prefer to generate my certs on a linux box and export them into a PKCS-12 Container:
- Create certification signing request (as you can see I always create new private keys as well and save the file with a proper name):
openssl req -nodes -newkey rsa:4096 -keyout “server-year.key” -out “server-year.csr”
- Let the csr file be signed by your CA.
- Create a PKCS-12 Container:
openssl pkcs12 -export -in “server-year.pem” -chain -CAfile “$HOME/SSL/CA-PATH.pem” -inkey “server-year.key” -out “server-year.p12”
- Now copy the .p12 file to your windows machine.
- open an administrative Powershell.
- Import the .p12 file:
Import-PfxCertificate -Exportable -CertStoreLocation cert:/LocalMachine/My -Password (Read-Host -Prompt “Password” -AsSecureString) -FilePath C:\PATH\TO\YOUR\server-year.p12
- Get the Thumbprint of your machine cert (get only current certs, otherwise you’ll end up with old certs as well):
$date = Get-Date
$thumb = (gci -path cert:/LocalMachine/My | where {$_.Subject -like ‘*YOUR-DOMAIN*’ -and $_.NotBefore -lt $date -and $_.NotAfter -gt $date}).Thumbprint - Update which Cert to be used for RDP-tcp connections:
$tsgs = gwmi -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash=”$thumb”}