RDP SSL Certificate

All,

I am curently configuring RDP SSL certs manually on Windows 2003  servers using below process

Open TS Configuraton window

Double Click on RDP-Tcp for the properties

From the general tab click on the 'Select' button. A dialog box automatically shows up showing the certificate that I had already installed, click 'OK'.

So please point me to any scripts, command line tools, registry hacks, or group policies that I could use to automate this certificate select step.

Thanks,

July 12th, 2012 5:18pm

i would think adding the certificate to the certificate store would help but I would need to dig out the old material to figure how to install the certificate to work with RDP SSL. Yes from connecting to a remote server computer on my work network it appears to ask the RDP client for certificate you need to import it to the certificate store (if you have the certificate copied to a share this would be easy) to prevent this.

P.S. Whats TS?

Im trying to remember command lines to do import the certificate but the process is listed above because i did it once for my computer security class and some other scen

Free Windows Admin Tool Kit Click here and download it now
July 12th, 2012 7:42pm

The question is " how to assign a "Host Authentication" certificate to a Terminal Server without uisng the GUI.

I don't think this can be done.  Add a cert to the store is trivial. 

Of course the request for a RDP SSL cert is not the same ans a a TS cert.  The post may be asking how to set up SSL on "Remote Desktop  Web Access".

http://technet.microsoft.com/en-us/library/cc731923.aspx

This is set up automatically during install.  If you just want to cahnge or add a cert to the server then you can use the ADSI IIS provider.

The OP says it is a WS2003 TS so we cannot do this with ADSI and it is not web based.  The re2quest is how to set up the certificate for server identification which has nothing to do with SSL.

Here is a method that I think wil work on WS2003R2.  It will not work on Standard edition due to missing WMI parts.

http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

July 12th, 2012 8:32pm

Thanks for the information, i accompished this requirement using capicom ..

Regards,

Manikandan

Free Windows Admin Tool Kit Click here and download it now
July 19th, 2012 10:10pm

Thanks for the information, i accompished this requirement using capicom ..

Regards,

Mani

July 19th, 2012 11:00pm

In my case i use capicom to query the thumbprint from cert store  and a reg update sequence to bind it.

e.g appended a VB script to query the thumprint of a RDP Cert template form local store and bind it to listener.

Option Explicit
on error resume next
Const CAPICOM_MY_STORE = "My"
Const CAPICOM_LOCAL_MACHINE_STORE  = 1
Const CAPICOM_CURRENT_USER_STORE  = 2
Const CAPICOM_STORE_OPEN_READ_ONLY = 0
Const CAPICOM_EKU_CLIENT_AUTH = 2
Const CAPICOM_EKU_CODE_SIGNING = 3
Const CAPICOM_EKU_EMAIL_PROTECTION = 4
Const CAPICOM_EKU_SERVER_AUTH = 1
Const CAPICOM_EKU_OTHER = 0
Const CR_DISP_ISSUED  = &H3
Const CR_OUT_CHAIN = &H100
Const CR_OUT_BASE64 = &H1
Const CERT_SYSTEM_STORE_LOCAL_MACHINE = &H20000
Const CR_IN_BASE64  = &H1
Const CR_IN_PKCS10  = &H100
Dim oCert, oStore, sflag, strComputer, strRDPThumb, WshShell
Dim strKeyPath, Return1, Return2, Return3, StrExe1, StrExe2, StrExe3, StrExe
strComputer = "."
strKeyPath = "HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp"
Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set oStore = CreateObject ("CAPICOM.Store")

If Err.Number <> 0 Then
Wscript.echo "CAPICOM NOT FOUND"
Wscript.Quit(1)
End if

oStore.Open CAPICOM_LOCAL_MACHINE_STORE, CAPICOM_MY_STORE,  CAPICOM_STORE_OPEN_READ_ONLY
sflag = 0
For Each oCert in oStore.Certificates
sflag = 0
 If Instr  (1, trim(ucase(oCert.Template.Name)), trim(ucase("RDP Certificate")), 1) > 0 Then
 sflag = 1 
 strRDPThumb = lcase(oCert.Thumbprint)
 End if

If IsNull(strRDPThumb) Then
 wscript.echo "No Valid RDP Certificate Found" 
 wscript.Quit(1)
Elseif sflag = 1 Then
 StrExe1 = "cmd /c REG ADD " &chr(34)& strKeyPath &chr(34)& " /v SSLCertificateSHA1Hash /t REG_BINARY /d " &chr(34)&  strRDPThumb &chr(34)&" /f"
 StrExe2 = "cmd /c REG ADD " &chr(34)& strKeyPath &chr(34)& " /v SecurityLayer /t REG_DWORD /d " &chr(34)&  "2" &chr(34)&" /f"
 StrExe3 = "cmd /c REG ADD " &chr(34)& strKeyPath &chr(34)& " /v MinEncryptionLevel /t REG_DWORD /d " &chr(34)&  "3" &chr(34)&" /f"
 
 Return1 = Wshshell.Run(strExe1,1,True)
 If Return1 = 0 Then
 Return2 = Wshshell.Run(strExe2,1,True)
 Return3 = Wshshell.Run(strExe3,1,True)
 Else
 wscript.Quit(1)
 wscript.echo "RegError"
 End if
End if
Next

 

Free Windows Admin Tool Kit Click here and download it now
July 19th, 2012 11:35pm

Oh!  You are using the registry to add the cert not Capicom.

That might work but you ae doing way to many bits.  Try this:

Option Explicit
Const strKeyPath="HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" 
Dim oCert, oStore, shell, found
Set shell = Wscript.CreateObject("Wscript.Shell")
Set oStore = CreateObject("CAPICOM.Store")
oStore.Open 1, "ca"
For Each oCert In oStore.Certificates
    If InStr(lcase(oCert.SubjectName),"root agency") Then
        shell.RegWrite strKeyPath & "\SSLCertificateSHA1Hash", oCert.Thumbprint,"REG_BINARY"
        shell.RegWrite strKeyPath & "\SecurityLayer", 2,"REG_DWORD"
        shell.RegWrite strKeyPath & "\MinEncryptionLevel", 3,"REG_DWORD"
        found = true
    End if
Next
If Not found Then
    WScript.Echo "Certicficate not found"
End If

July 20th, 2012 12:14am

JRV both works great .. Thank you!!

Hey i am now working on adding offlline certs to the servers that are not reachable from CA and bind it to listener using the above reg add.

Do you have any scripts for adding offline cert as well? Thought of checking before i create one...

Free Windows Admin Tool Kit Click here and download it now
July 20th, 2012 3:05pm

No - what are you calling offline certs?

AD can distribute certs for you.

July 20th, 2012 3:16pm

 I have few servers not reachable from CA / DC using GPO due to port restrictions. So created the certs manually for them and placed it in a share.

As part of scripting; need to pick up the certs based on host name from the share and add it to the local system store and then execute the above reg add process. I hope this can be achieved using capicom add method or using certuil. Since i have packaged my existing scripts using capicom thought of integrating the same...Any suggestions?

Free Windows Admin Tool Kit Click here and download it now
July 20th, 2012 3:35pm

CapiCom is not installed on all systems.   I believe certutil is now included in the net framework.

YOu cannot have a domin machine with ports resticted sucjh that GPO will not work.  Somebody is funning with you on that one.  If they are no domain machies then AD will not distributes certs to them nor will it apply Group Policy.

July 20th, 2012 3:42pm

Yep i have packaged the script to verify the capicom existance to register if not found. Regarding conenctivity issue; i have multiple segments with separate dc infra for each segments and a common CA. Unfortunately the conectivity between one of the dc infra and the CA is blocked ...hence the script workaround..

Free Windows Admin Tool Kit Click here and download it now
July 20th, 2012 3:56pm

Why not jsut add the CERT to AD and let ad add it to the machines.

Each machine in AD can have an identity cert which can be used for RDP.  I know it is niely automatic with an Entrerprise CA but it can still be done without access to teh CA.  It would seem that his would acomplish distribution and maintenace in a far more WIndows-like way.

July 20th, 2012 4:01pm

May I ask why on 2003 servers the RDP SSL certs manually need to be bound to Terminal Services on a server?   Does Group Policy not support this?
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2013 12:47am

I have written this powershell version 2 script on Windows 2008 R2 - its messy with debug code - but it seems to work - (please be gentle when commenting on the way I set the array up)

I guess it assumes a certificate has already been assigned (hopefully the self-signed one) and that a externally signed certificate has been enrolled and placed in the store

It gets the certificate with the latest expiring date (I think ) and assigns it - I'm unsure if I should check any other properties of the certificate

# Remove all the spaces from the \ \ . \ My - This website thinks its a URL and wont let me post it

$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList  "\ \ . \ My", "LocalMachine"
$CertStore.Open('ReadOnly')
$MaxDate= get-date
foreach ($a in $CertStore.certificates)
{
 $a | Format-List
 if ( $a.NotAfter -gt $MaxDate)
 {
  $MaxDate = $a.NotAfter
  $TP = $a.ThumbPrint
  "Selected $TP $MaxDate"
 }
}

$key = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'
$data = (Get-ItemProperty -Path $key -Name SSLCertificateSHA1Hash).SSLCertificateSHA1Hash
$data
$i=0
foreach ($byte in $data)
{
 $data[$i] = [byte] "0x$($tp.substring(0,2))"
 $i=$i+1
 $tp= $tp.substring(2)
}
if($tp -ne "")

{

$tp

$data

} else {
Set-ItemProperty -Path $key -Name SSLCertificateSHA1Hash -Value $data

}

July 14th, 2015 8:47pm

I think you are three years too late.  This thread was closed three years ago.

Sorry,,,

Free Windows Admin Tool Kit Click here and download it now
July 14th, 2015 9:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics