Add SSL certificate for RDP sessions

I use Microsoft Remote Desktop and RDP into servers all day. Often, when I do this, I'm greeted with this error:


Self-signed "Verify Certificate" warning message

Self-signed "Verify Certificate" warning message

It's not really an error, but it bugs me, and we have a certificate we can use for this server. It's a wildcard cert that can be used on all of our servers, intended for server authentication. So, let's use it for that.

Here's how to fix this message and properly authenticate your servers when connecting over RDP:

Before you begin:

  1. Get a valid SSL cert for this server. I'm not going to cover this here; GeoTrust and similar have great tutorials on this.

  2. Download the certificate as a PKCS12 format, or convert it. From GeoTrust, we got a PKCS7 file, so we had to convert it. If you trust their site, SSLShopper has an easy to use online converter. I don't recommend doing an online conversion since the main advantage, for us, of the PKCS12 file is that you can include your private key. Still, if you don't know how to convert it via openssl or similar, online conversion isn't the worst thing you could do.
  3. Once you have a PKCS12 ssl certificate, copy it to your server and let's begin.


Adding the certificate to the server:

1. Open a new mmc console (start->run and type 'mmc').

2. Add a new snap in.

Addremove snap in.png

3. Add the Certificates snap in. When prompted, choose the computer account, and local computer.

4. Find the PKCS12 ssl certificate you uploaded to this server. Right click on it and choose Install PFX.


5. If there's a password, enter it in the wizard, then choose to import the certificate into the Personal store.

6. You should now have a certificate installed into your Personal store. Check to make sure it's there and that the "Intended Purposes" lists "Server Authentication".


Assigning the certificate:

With the certificate in place, we just have to tell the server to now use this certificate when connecting through RDP. Normally this would be easy thought the Remote Desktop Services server role, and similar things, but for servers that we're only connecting as an admin we don't want that sort of overhead on the server. Fortunately, we can make the change without need for the server role.

1. Get the thumbprint of the ssl certificate. You can get this by double clicking on the certificate in the mmc window you should still have open. Go to the Details tab and scroll to the bottom to get the thumbprint.

certificate thumbnail.png

2. Open a command prompt as an administrator, and run this wmic command:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Note that when I copy/paste from the certificate window, the paste often ends up with a leading question mark. You'll want to remove this from the command line when you enter it in here.

If things go right, you should see the following:



You should be done. You've now installed the certificate onto the server, and told the terminal services (RDP) service to use this new SSL certificate. When you connect to the server you shouldn't get the certificate warning anymore, though be careful to connect to the name on the cert, not a short name or alias - if you do, you'll get a new warning about a name mismatch on the certificate.