2

Our servers undergo periodic PCI compliance scans and we have a Windows 2008 server machine that we have port 3389 open for RDP. It is secured with SSL, but it is failing the scan because their test says:

 SOLUTION:
 Please install a server certificate signed by a trusted third-party Certificate Authority.
 RESULT:
 Certificate #0 unable to get local issuer certificate

As far as I can tell, the reason its failing is because in the Terminal Services Configuration tool it is using a locally created certificate instead of the one we got from GeoTrust. So, I open the wizard and it says the certificate is "Auto Generated." I click the SELECT button, change to the one we were issued from GeoTrust and hit OK to save everything (screen shot). However, then I disconnect my RDP session and reconnect and its back to "Auto Generated." I've even tried deleting the certificate from the MMC Local Computer Certificate snap-in and it just keeps recreating itself every time we reconnect through RDP. I can "pass" the scan by going through those motions and re-running the scan before I log in again with RDP, but that's hardly a permanent solution as these scans run every month.

Can anyone help me figure out how to get the trusted CA SSL cert to stick around permanently?

Thanks in advance.

Jorin
  • 143
  • 1
  • 5
  • Anyone have ANY help on this?? I would start a bounty if I could bring over my StackOverflow rep... – Jorin Apr 22 '11 at 05:47
  • Sounds like you needed to add the IP address of the server as a SAN on your certificate request. That way when the the certificate was presented it would have been valid for both the hostname and IP of the server. –  May 01 '15 at 17:50

3 Answers3

1

Well, unfortunately no one was able to help and it came time where I had to deal with it so I played with it a little bit more and ultimately found something that seems to work, so I'll post it here in case it helps someone else.

My remote connection was connecting directly to the IP address of my server instead of the name in the trusted SSL certificate. So, when I changed my remote connection settings to connect to the trusted name instead of the IP address it worked fine. My assumption is that when you connect directly to the IP address, the RDP-TCP manager looks for a certificate that matches and if it doesn't find one, then it defaults back to the auto-generated one (and if that doesn't exist, then it re-creates it). So, now when I set it to the 3rd party trusted certificate and then connect using the FQDN of that certificate, it stays put.

So, now the scan passes without any flags and I'm good to go.

Jorin
  • 143
  • 1
  • 5
1

I know this is an old thread, but I was able to get the RDP Host Configuration manager to keep the SSL certificate by making it "exportable" when I imported it into IIS.

Just FYI.

Nathaniel Ninffert
  • 11
  • 1
0

It was a bad certificate. You may want to try and import it again. Also check for the intermediate and trusted root certificate authorities to see if certificate chain is complete. RDP will remove any cert that is not good enough.

ilan nyska
  • 1