1

Using Remote Desktop Connection to connect from Win7 to Win2008 Server R2, what is the difference in installing a self-signed certificate (for server authentication only) and installing a regular signed certificate? I know the difference between the certificates, but how do I install a signed certificate (which is normally used for a website domain) to use for server authentication only (used for connecting through Remote Desktop Connection)? I know I sound like someone paranoid, but I would like to understand the procedure necessary to replace the self-signed certificate with a signed certificate. Thanks for all the help and Have a great day!

Chris Carpenter
  • 101
  • 2
  • 3

2 Answers2

4

A. Buy your cert. Like you say, it's the same as one you would get for a web site. Just make sure the name of it matches the name the users will go to for RDP.

B. Install the cert by doing this:

  1. Open MMC.
  2. Highlight Certificates and click Add.
  3. Select Computer Account and click Next.
  4. Select Local Computer and click Finish.
  5. Back in the MMC, highlight Certificates.
  6. From the View menu, select Options.
  7. Change the View mode to Certificate Purpose and then click OK.
  8. Expand the Certificates object.
  9. Right-click on Server Authentication and select All Tasks/Import.
  10. When the Certificate Import Wizard launches, click Next.
  11. On the File To Import, click Browse and then pick the .PFX file you got from your certificate authority and then click Open. Click Next.
  12. On the Password page, enter the password for the cert if there is one. Select the Mark this key as exportable option. Click Next.
  13. On the Certificate Store page, accept the default to automatically select the cert store.
  14. Click Finish.

C. Enforce SSL by doing this:

  1. Launch Terminal Services Configuration.
  2. In the left pane, highlight Terminal Services Configuration: .
  3. In the right pane, right-click on RDP-Tcp and select Properties.
  4. Click on the General tab.
  5. Next to Certificate:Auto generated, click Select.
  6. Select the cert you just imported and click OK.
  7. Change the Security layer from Negotiate to SSL and the Encryption level from Client Compatible to High. Also, select Allow connections only from computers running Remote Desktop with Network Level Authentication. Click OK.

D. If you're making this server accessible from your internal network to the internet, you then need to give it an external IP and have TCP port 3389 opened on the firewall.

E. Create an A record in DNS that matches exactly the name of the cert.

That should do it. Note that you'll want to review the security configuration in step C7 above to your preference - that config will lock it down nice and tight and will work for anyone running Vista or later.

icky3000
  • 4,718
  • 1
  • 20
  • 15
0

I believe you need to:

  1. Obtain the certificate for your server's full DNS name from a trusted root CA
  2. On the server open mmc.exe
  3. Add the Certificates snap-in, and choose 'Computer Account'
  4. Add the certificate into 'Personal Certificates'
Chris Thorpe
  • 9,903
  • 22
  • 32