Installing CA certificate to Windows Server 2016 for RDP

Installing CA certificate to Windows Server 2016 for RDP 

    As a part of PCI compliance  we recently had to use Certification Authority SSL certificates for RDP instead of the usual self signed certificate we were using. Also note that we did not have Remote desktop Gateway role installed in the server.

  

Installing certificates

Follow these steps to install the certificate by using the Microsoft Management Console (MMC) snap-in.

Start >Run>type in "MMC" Which opens the MMC console

On the Console menu, click Add/Remove Snap-in.

A choice to open the snap-in for the current user account, the service account, or for the computer account popups. Select the Computer Account and then Local Computer

Click on certificates in the left panel and click add

Click Close in the Add Standalone Snap-in dialog box.Click OK in the Add/Remove Snap-in dialog box. 

Use the MMC snap-in to install the certificate on the server:

1. In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), Right click personal>All tasks>import.

Click next, next, and finish.

Now you can see that the certificates has been imported an appears under the personal folder. 

By default Windows Server takes the self signed certificate. We need to configure the RDP Listener to use the Imported Certificate. This can be achieved in 2 ways. Either using the WMI script or Using Registry Edit.

WMI Method

The  RDS listener configuration data for  is stored in the Win32_TSGeneralSetting class in WMI under the Root\CimV2\TerminalServices namespace. The thumbprint value is unique to each certificate. and is referenced by the SSLCertificateSHA1Hash property.



Simple Powershell command to get the thumbprint value



Get-Childitem Cert:\LocalMachine\My

(the above command only works if a certificate has been previously imported to the personal folder using mmc snap-in)


     Copy the thumbprint hash value Run the below power shell command in admin mode substituting the highlighted thumbprint value with your thumbprint value of the new certificate.

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path

Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="thumbprintvalue"} 

A successful completion of the command would look some thing like below.

Once this is successfully executed new rdp connections to the server uses the new CA certificate.



The Same can also be achieved by modifying the following registry values


Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Value name:  SSLCertificateSHA1Hash
Value type:  REG_BINARY
Value data:  certificate thumbprint

Trouble Shooting :