5

I'm attempting to use the wmic approach of assigning a self-signed certificate for Remote Desktop use on a Windows Server 2012 VM as described here and here.

The CA for the RDP certificate has been installed under Local Machine > Trusted Root Certification Authorities and the RDP certificate itself has been installed under Local Machine > Remote Desktop.

When I attempt to issue the wmic command to use the imported RDP certificate, I receive the following error:

C:\Windows\system32> wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="3c7a7a78af9699b69182dff15329834113a518b3"
Updating property(s) of '\\SERVER\root\CIMV2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"'
ERROR:
Description = Invalid parameter

...I also tried importing the RDP certificate under Local Machine > Personal, but the error message remains unchanged.

Community
  • 1
nhelder
  • 61
  • 1
  • 2
  • 6
  • 1
    I tried most of these posts as I had the same wmi parameter error. I finally checked my certs and realized that i forgot to import the cert that was associated with the private key...deleted the self-signed key again....I only had the .cer installed. I converted my .jks to .p12, imported the .p12 into my certstore, ran the wmi command and all is well. I rebooted my servers and the new cert is working for RDP and the self-signed cert no longer populates the cert store. Thanks for all your help. – user5631780 Dec 03 '18 at 23:16

8 Answers8

7

Stuck with the same issue for 3 hours, but found the root of the problem. In my case the reason for "Invalid parameter" error was that I've mistakenly imported a certificate without a corresponding private key.

So make sure, that when you open your certificate in General tab you see in the last line a key symbol and the text "You have a private key that corresponds to this certificate." Certificate with private key

It's quite easy to combine certificate and a key into pfx file. Have a look here https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

Dmitriy Razumovskiy
  • 71
  • 1
  • 2
6

Try placing the thumprint letters in caps instead of lower case. In Server 2012 R2, for some reason it doesn't take lower case characters in the thumbprint for the wmic command, so e.g. ‎d8f87e2cff8fcc5789f53b5539fc12a0b5eecba8 should be D8F87E2CFF8FCC5789F53B5539FC12A0B5EECBA8.

Easiest way for me to get the thumbprint "as it should be", was to open powershell and get the thumbprint with the following command:

Get-Childitem Cert:\LocalMachine\My

It will display the thumbprints for the local machine certificates without spaces and letters in caps.

Anyway, check out this article, it's really good: https://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/

Maverick Sevmont
  • 61
  • 1
  • 2
  • This answer deserves more upvotes - pulling the thumbprint from certlm gives you a lowercase (with spaces) version - I was going nuts until I saw the case sensitivity suggestion as the command response error does not suggest that. You saved my bacon! – tb1 Mar 10 '20 at 13:47
2

Trying to summarize the checklist, cause there are many ways this might happen.

  • Ensure you are running your powershell/command prompt under Administrative Privileges as stated from this answer
  • Make sure you import the certificate with private key. Check the answer from Dmitriy
  • Ensure when you are trying to import the certificate, import to the Machine Account->Personal. Please refer to this blog.
  • I have not yet faced this problem but someone might have, change the thumbprint to capital. Check the answer from Erick.
  • If you are having the same issue as many other people like Ryan said, run the Powershell version of it.
  • If you are using notepad to act as buffer when trying to remove space in thumbprint, make sure you have removed the ASCII symbol at the beginning of thumbprint. As stated from this support article by MS.

Hope this can solve your problem :D

Ricardo
  • 21
  • 2
1

On a previous answer related to this topic, one of the comments from someone claimed the wmic version of the command didn't work for them on a 2012 R2 machine, but the Powershell equivalent version did work. You might try that. Here's the equivalent Powershell command.

$path = (gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
swmi -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}
Community
  • 1
Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
1

Found the command above was not working as anticipated. After typing out the commands manually it worked, not sure what happened but just in case here is what I used

$TSGS = Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace "root\cimv2\terminalservices"
Set-WmiInstance -Path $TSGS -Arguments @{SSLCertificateSHA1Hash="4adcffbcf35ba044d93108ae2e2c51fa3c3fc983"}
RalfFriedl
  • 3,008
  • 4
  • 12
  • 17
clayton amelia
  • 11
  • 1
  • I have `-Filter "TerminalName='RDP-tcp'"` in my script doing `Get-WmiObject` but it seems to work ok with or without. – Jari Turkia Sep 08 '20 at 08:24
0

Make sure that the certificate you're using has Server Authentication (1.3.6.1.5.5.7.3.1) set for its enhanced key usage field, otherwise you will get that error.

Create self-signed terminal services certificate and install it

Community
  • 1
Legacoid
  • 41
  • 4
  • Thanks, Legacoid. The cert I was attempting to use was generated with a combination of EasyRSA and OpenSSL; not having this value in the certificate is likely the cause of the issue. I'll investigate further and report back when I get a chance. – nhelder Aug 05 '15 at 19:51
  • Hi again, Legacoid - using the details from http://freenac.net/en/book/export/html/328 , I've updated my OpenSSL configuration to specify that the certificate will be used for Server Authentication. When viewing the resulting certificate's Details tab, "Extended Key Usage" now shows "Server Authentication (1.3.6.1.5.5.7.3.1)". However, the wmic error remains the same. Are there other parameters I should check to assure the certificate is being created in a RDP-friendly way? Thanks in advance. – nhelder Aug 07 '15 at 02:59
  • About the only other thing I can think of - and I apologize if it's obvious - is to make sure that your WMI command is executed from a shell with elevated (admin) privileges, i.e. opened as Administrator. And of course make sure that you remembered to import your new certificate into Local Computer\Personal store. Failing that, there's another method you could try: https://social.technet.microsoft.com/Forums/windowsserver/en-US/53571c0e-22c0-41e9-88d6-5bc8f01f5017/assign-certificate-to-rd-session-host-role-in-windows-server-2012?forum=winserverTS (Look for the later post by Sebastian Bammer) – Legacoid Aug 07 '15 at 16:43
0

I also had this problem, which brought me here. My solution was to double-check that your thumbprint (after you remove the spaces and special leading character) reflects exactly the certificate's thumbprint. I was missing a trailing digit; once added back I received a "Property(s) update successful. Good luck.

jcarpio
  • 330
  • 1
  • 6
  • 12
0

When copying a certificate, for some reason there is a hidden character at the beginning. make sure to copy the certificate without the hidden character when going into the certificate properties. If you look at the "invalid Parameter" response of the command and look up at the certificate you tried to put in, you would see a box character at the beginning.

Omar Damaj
  • 1
  • 1