Add SSL Cert to RDP Session

When I connect to a Windows Machine via Remote Desktop Connection, I always get a wrong-cert warning. This is annoying!

It was never so easy to get free certs as it is today. I have used the services of and which have both their pros and cons. At work we also have commercial certs. Whatever you choose is up to you.

I prefer to generate my certs on a linux box and export them into a PKCS-12 Container:

  1. Create certification signing request (as you can see I always create new private keys as well and save the file with a proper name):

    openssl req -nodes -newkey rsa:4096 -keyout “server-year.key” -out “server-year.csr”

  2. Let the csr file be signed by your CA.
  3. Create a PKCS-12 Container:

    openssl pkcs12 -export -in “server-year.pem” -chain -CAfile “$HOME/SSL/CA-PATH.pem” -inkey “server-year.key” -out “server-year.p12”

  4. Now copy the .p12 file to your windows machine.
  5. open an administrative Powershell.
  6. Import the .p12 file:

    Import-PfxCertificate -Exportable -CertStoreLocation cert:/LocalMachine/My -Password (Read-Host -Prompt “Password” -AsSecureString) -FilePath C:\PATH\TO\YOUR\server-year.p12

  7. Get the Thumbprint of your machine cert (get only current certs, otherwise you’ll end up with old certs as well):

    $date = Get-Date
    $thumb = (gci -path cert:/LocalMachine/My | where {$_.Subject -like ‘*YOUR-DOMAIN*’ -and $_.NotBefore -lt $date -and $_.NotAfter -gt $date}).Thumbprint

  8. Update which Cert to be used for RDP-tcp connections:

    $tsgs = gwmi -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”

    swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash=”$thumb”}

Leave a Reply

Your email address will not be published. Required fields are marked *