Windows – Using CA certificate for Remote Desktop Connection

rdpremote desktopssl-certificatewindowswindows-server-2012-r2

I’m connecting over the web to a remote Windows Server 2012 R2 via Remote Desktop Connection for administration needs. It is a single web and database server without an AD etc.

I’m not talking about Remote Desktop Services / Terminal Server, just the simple Remote Desktop feature activated through Control Panel > System > Remote Settings.
The server will automatically create a self-signed certificate to encrypt the connection and the Remote Desktop Connection client will show a certificate error due to the untrusted CA.

I have a CA signed certificate issued to the FQDN of this server and valid for server authentication (I’m using it for MSSQL Server remote access).

I’d like to use that one for RDP connections too. All tutorials (like this question) I’ve found so far describe the process for the Remote Desktop Services or Terminal Service. I have found this question stating a wmic command to set a certificate, but I don't want to try setting some values when I don't know what exactly I'm doing.
What I have done is adding it to the Remote Desktop Certificates of Local Computer where the auto generated self-signed is located too.

Is that possible? If yes, what do I have to do?

Thanks!

Best Answer

The question you found that mentions using wmic to set the certificate thumbprint value should work without any additional feature installation. I asked and answered a similar question here with a little more detail. It also has a PowerShell equivalent for the wmic command. But I'll add some more explanation here as well.

Since you're already using this certificate for MSSQL SSL, I assume it's already installed into one of the certificate stores on the system. If you installed it in the context of a service account that MSSQL is running as, you might also need to install it into the Personal or Remote Desktop store for the "Local Computer" as well.
enter image description here

Once it's in there, you just need to update the SSLCertificateSHA1Hash value in Win32_TSGeneralSetting to point to it using one of the commands in my previous question.

If you want to check what the value is currently set to and compare it to the self-signed certificate, you can change the wmic command to the following. You can also use this to validate that the new thumbprint value you tried to set is correct.

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash

The output should look something like this:
enter image description here

Related Topic