Replacing Self Signed Remote Desktop Services Certificate on Windows
Replacing Self Signed Remote Desktop Services Certificate on Windows
So one of the reasons why we moved from a .local domain environment to a corp.Bauzas.com Active Directory domain name was so that we could use a public CA certificates for Remote Desktop Services. We used to rely on self signed certificates and then moved to using the corporate CA but when using devices that do not have the enterprise CA’s root certificate installed we struggled a little. Moving to public CA certificates seemed to make sense and does let us avoid trouble like making our CA publicly accessible, etc. Regardless, the next challenge we faced was that I have only used the “Remote Desktop Session Host Configuration” to select which certificate to use for Remote Desktop Services. To my shock (I guess not really) this tool is not readily available with Windows Server 2012 or a Windows Workstation. You can probably install it as you enable the appropriate role/feature but that seemed like too much work. Instead it seems you can simply use the certificate management console and place the certificate you want to use in the right folder. I recommend you go the normal route before you try to simply force another certificate into the store.
To run Remote Desktop Session Host Configuration from the Start menu
- Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
- Click Start, click Run, type tsconfig.msc and then press ENTER.
To run Remote Desktop Session Host Configuration from Server Manager
- Click Start, point to Administrative Tools, and then click Server Manager.
- In the left pane, expand Roles.
- Expand Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
To run Remote Desktop Session Host Configuration from the Microsoft Management Console
- Click Start, click Run, type mmc and then press ENTER.
- On the File menu, click Add/Remove Snap-in.
- Under Available snap-ins, click Remote Desktop Session Host Configuration, and then click Add.
- In the Select Computer dialog box, select whether you want to connect to the local computer or to another computer. If you select Another computer, either type in the name of the computer or use Browse to search for the computer.
- Click OK.
- In the Add or Remove Snap-ins dialog box, click OK.
If all that fails then here is how you replace the certificate on the certificate store:
- Open mmc.exe (Microsoft Management Console)
- Add the add-in certificates (for the computer account) (and select local computer)
- Navigate to the remote desktop folder -> certificates
- Delete the certificate for the name of the server
- Right click the Certificates folder under Remote Desktop and select Import
- Import the certificate you wish to use for your Remote Desktop Services
This seems to have worked for me… but then again if you can use the regular Remote Desktop Session Host Configuration I would do so.
how do you do this on Server 2012 R2
you state how to open the remote desktop session host configuration, but now how to change the certificate from there.
Is there any way to completely disable the creation of self-signed certificates in Windows 2012r2? If you delete the self-signed certificate, when you restart the terminal server services, it recreates it – regardless of whether you have a registered one or not installed.
The certificates for RDS are in the deployment section. Edit the deployment properties. Mind that you will have to provide a PFX cert file for this, and the uses of the certificate ideally will not be restricted.
Brilliant guide! Helped us sort out a vulnerability detection from our OpenVAS server against the use of SHA1 certs for remote desktop (now using SHA256!).