Steps to Replace RDP Default Self Sign Certificate to fix the vulnerability detected by Nessus Scanner
You will see the following error message when connecting to remote server via Remote Desktop [RDP] due to the Default Self Sign SSL Certificate is used by default
- Right click on Certificate Template and Manage
- Highlight Computer and right click to select Duplicate Template
- Change the Template Name to RDS
- Select Extensions – Application Policies and remove all the existing Application policies
Click Add to include the following
- Name = Remote Desktop Authentication
- Object Identifier = 1.3.6.1.4.1.311.54.1.2
- Right click Certificate Template and select New – Certificate Template to Issue by selecting RDS Template
- Verify RDS is shown in Certificate Template
Open Group Policy Management and edit the Default Domain Policy to apply the Certificate Template to all servers in the AD Domain
Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Server Authentication Certificate Template and enter the Template Name that you created
Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote [RDP] connections and change the Security Layer to SSL
Run “gpupdate /force” and Restart Remote Desktop Services to force the settings to be applied immediately
#Force GPO to update immediately gpupdate /force #Restart RDS Service Restart-Service TermServiceRDS Authentication Certificate is installed successfully in Certificate – Local Computer
There is NO SSL Certificate error when you login to Remote Server with FQDN via Remote Desktop now
Open Certificate Authority and modify the RDS Template following the steps below
- Change the Compatibility to
- Certification Authority – Windows Server 2008 R2 or above
- Certificate Recipient – Windows 7 / Server 2008 R2 or above
- Go to Subject Name to Select Supply in the request and Use subject information from existing certificate for autoenrollment renewal request
Request RDS Certificate from Server
Open Certificate – Local Computer with certlm.msc and select Create Custom Request
Select RDS Template
Click Properties
Select Common Name and enter the FQDN of the Server
Enter a Friendly Name to identify this certificate
Save the Office Request
Login to //CA_SERVER/certsrv and select Request a Certificate
Select Advanced Certificate Request
Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Paste the content of Offline Request and select RDS as Certificate Template
Download and import to Certificate – Local Computer
Check the Thumbprint of the RDS Certificate
Set-Location Cert:\LocalMachine\my Get-ChildItem Thumbprint Subject ---------- ------- AA439E86EA877521C5A98460DBEBA70CC28C70E6 CN=ib-ccdb.ibernas.plgroup.com.myReplace the default self sign certificate with RDS Certificate
#Replace Certificate for RDS wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="AA439E86EA877521C5A98460DBEBA70CC28C70E6"Verify the RDS Certificate is installed successfully
Get-WmiObject "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "Termina lName='RDP-tcp'" SecurityLayer : 2 SSLCertificateSHA1Hash : AA439E86EA877521C5A98460DBEBA70CC28C70E6 SSLCertificateSHA1HashType : 3 Status : TerminalName : RDP-Tcp TerminalProtocol : Microsoft RDP 8.0 Transport : tcp UserAuthenticationRequired : 1 WindowsAuthentication : 0 PSComputerName : IB-CCDBThe new RDS Certificate will be when we connect to the server via Remote Desktop now
Reference Links
1 Trusted Remote Desktop Services SSL Certs for Win10/2019
Many of you were seen a certificate error message when try connecting a remote computer using RDP services. If you see why you got the certificate error? It’s due to an invalid certificate. The certificate could be invalid for two reasons. Either the RDP certificate has expired on the remote computer, or the certificate is not trusted. If the certificate on the remote computer has expired, then you have no choice rather renewing the certificate. But, if your certificate is valid and not trusted, renewal doesn’t help in fixing this RDP certificate error. You should add the certificates of root and intermediate Certificate Authorities to trusted stores on the remote computer. Let’s see how to rectify and fix the RDP certificate error with a detailed procedure to renew the RDP certificate on the remote computer if you have an expired certificate on the computer. You will see a certificate error warning because the certificate on the remote computer becomes invalid. There are two primary reasons to see the error. Let’s explain the two reasons and solutions to fix the RDP certificate error. Each certificate has a validity period and is issued with an issue and expiry date. The certificate will be considered invalid when it has crossed its expiry date. You may face connection issues if you have encountered the expired certificate problem as the expired certificate will fail to authenticate. You can fix this issue only by renewing the RDP certificate on the remote computer. Let’s see a detailed step-by-step procedure to renew the RDP certificate on the remote computer in a later section in this post. The certificate is considered invalid even if the Certificate Authority of the certificate is not trusted. Anyway’s it’s not mandatory to fix this RDP certificate error to connect the remote computer. You can ignore this if you are not worried about the secured connection. But, it’s not recommended to ignore it, especially when you are working for a business. Because if you ignore it, you are prone to cyberattacks. This issue can be fixed by importing the certificates of root and intermediate Certificate Authorities into the root and intermediate trusted stores on the remote computer. Please visit “How to Download and Import Trusted Root CA Certificates from Internal Certificate Authority Server?” to see how to import the certificates of root and intermediate/subordinate Certificates Authorities.What Is The Reason Behind The RDP Certificate Error?
#1. RDP Certificate Expired:
#2. RDP Certificate Is Not Trusted:
How To Rectify The Problem Behind The RDP Certificate Error?
All right, now you know the cause of the RDP certificate error. The next thing is how you can identify the actual cause to fix the RDP certificate error. Well, it’s easy. You just have to verify certain things on the RDP certificate of the remote computer to figure out the actual cause of the error message. Click on the ‘view certificate’ button on the certificate error warning window to view the certificate. Or you can view the certificate in the personal store of the computer by login into it.
#1. How To Check The Certificate Is Valid?
All PKI certificates will have some information, including issuer name, issued, and expiry dates. You can see the expiry date to check the certificate has expired.
#2. How To Verify The Certificate Is Not Trusted?
You can verify the certificate authority of the certificate is trusted in multiple ways.
- If you see the message “The certificate is not from a trusted certifying authority” in the Certificate error section on the RDP certificate error waning, that means the certificate authority is not trusted.
- You can also see the message in the Certificate path like here:
- Try to find the root and intermediate certificates in the respective store. If you cannot see the certificates in the stores, the Certificate Authorities are considered not trusted.
How To Renew The RDP Certificate On Windows Servers?
In this section we are going to cover how to renew the RDP Certificate on any Windows server. We have divided this section into four major subsections which would gives you a better understanding of complete certificate renewal process.
- Create a CSR for the RDP certificate.
- Submit the CSR to the internal CA server and download certificate after issued.
- Import the certificate to the remote server’s personal store.
- Bind the RDP certificate to the RDP services.
Time needed: 10 minutes.
How to renew the RDP Certificate on Windows servers?
- Create a CSR:
//thesecmaster.com/step-by-step-procedure-to-create-a-custom-csr-on-a-windows-server/
- Submit the CSR and Download the certificate:
//thesecmaster.com/how-to-request-a-certificate-from-windows-adcs/
- Import the certificate:
//thesecmaster.com/step-by-step-procedure-to-convert-a-cer-certificate-to-pfx-without-the-private-key/
- Bind the RDP certificate:
Use this command to bind the certificate:wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=””
Supply thumbprint of the certificate to the SSLCertificateSHA1Hash.
#1. Create A CSR:
Certificate Signing Request is the first step to get a new certificate. Please login to the remote server and follow the steps to create a CSR on the remote server.
Submit the CSR generated to the internal CA and download the certificate from the CA portal after issued. Refer the article “How to request a certificate from Windows ADCS?” to submit the CSR and download the certificate from the internal CA portal.
#3. Import The Certificate:
After you download the certificate, you should import the certificate to the personal store. You can see how to import the certificate here.
#4. Bind The RDP Certificate To The RDP Services:
Importing the certificate is not enough to make it work. You should bind the new certificate to the RDP services. Use this command to bind the certificate:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=””
Supply thumbprint of the certificate to the SSLCertificateSHA1Hash.
Examples:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”7fe74076c8a1f8e5b99fc049540977243751bf51″
The bind process will get completed with the message “update successful”. This is how you should renew the RDP Certificate on the remote server.
Thanks for reading the post. Please share this with people who are struggling to fix the RDP certificate error.