59

So the release of Windows Server 2012 has removed a lot of the old Remote Desktop related configuration utilities. In particular, there is no more Remote Desktop Session Host Configuration utility that gave you access to the RDP-Tcp properties dialog that let you configure a custom certificate for the RDSH to use. In its place is a nice new consolidated GUI that is part of the overall "edit deployment properties" workflow in the new Server Manager. The catch is that you only get access to that workflow if you have the Remote Desktop Services role installed (as far as I can tell).

This seems like a bit of an oversight on Microsoft's part. How can we configure a custom SSL certificate for RDP on Windows Server 2012 when it's running in the default Remote Administration mode without needlessly installing the Remote Desktop Services role?

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • Related --> https://superuser.com/questions/1093159/how-to-provide-a-verified-server-certificate-for-remote-desktop-rdp-connection/1471991#1471991 – FreeSoftwareServers Aug 16 '19 at 12:40

3 Answers3

86

It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.


UPDATE: Here's a generalized Powershell solution that grabs and sets the thumbprint of the first SSL cert in the computer's personal store. If your system has multiple certs, you should add a -Filter option to the gci command to make sure you reference the correct cert. I've left my original answer intact below this for reference.

# get a reference to the config instance
$tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint

# set the new thumbprint value
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

In order to get the thumbprint value

  1. Open the properties dialog for your certificate and select the Details tab
  2. Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
  3. Remove all the spaces from the string. You'll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It's not visible in Notepad.
  4. This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Or if PowerShell is your thing, you can use this instead:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Note: the certificate must be in the 'Personal' Certificate Store for the Computer account.

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • 3
    Just wanted to add that this saved me from pure meltdown. Thank you. Installing the roles and restarting servers as suggested within technet and the like is ridiculous. Even then, once you install the SSL cert in RD Gateway Manager, it doesn't carry over to the remote admin login. – Papa Feb 12 '14 at 08:10
  • You're most welcome. – Ryan Bolger Feb 12 '14 at 18:49
  • 2
    Thanks so much for this. I must've searched **all of google** before I found this. There are too many results telling me to install "Remote Desktop Services" via "Add roles and features", but doing so requires you to join a domain. – Sethi Mar 12 '14 at 15:25
  • This is outstanding, so helpful, and should of course be provided by Microsoft. Thanks for taking the time to post it here. – BrianFinkel Mar 03 '15 at 18:38
  • What happens if your certificate renews automatically, if you set this value? Will it automatically pick up the new hash? Also, can I delete the self-signed cert out of the RDP certificate folder? – jjmil03 Apr 22 '15 at 18:01
  • I don't think it will automatically update the hash reference, but I've never tested so I can't be sure. You can delete the self-signed cert, but in my experience Windows just re-creates a new one later. – Ryan Bolger Apr 22 '15 at 21:05
  • @RyanBolger I'm about to renew the cert and was wondering if the thumbprint changes? After some reading, it appears it shouldn't, but wanted to know if you have experience with this? – Papa Jul 27 '15 at 00:13
  • I don't recall specifically, but I'm pretty sure it does because it's effectively a new cert. – Ryan Bolger Jul 27 '15 at 22:04
  • The Command Prompt version didn't work for me on Windows Server 2012 R2 but the PowerShell version worked perfectly. – Doug Wilson Oct 18 '15 at 14:33
  • You might try posting a separate question with the problem you're experiencing. – Ryan Bolger Dec 23 '15 at 05:20
  • It is possible to use a SHA256 certificate? I'm getting an "invalid argument" error. – georgiosd Dec 23 '15 at 14:13
  • Yes, any certificates that Windows supports should work. I personally use it with plenty of SHA256 certificates. – Ryan Bolger Dec 24 '15 at 00:51
  • @doug-wilson Curiously, the command prompt version worked for me but the powershell version did not work. – Hugh Jeffner Feb 02 '16 at 17:02
  • 2
    If I try to do it using your PS script I get "Invalid Parameter". Same issue if I do it manually, too... – deed02392 Jul 25 '16 at 15:51
  • Which line gives you that error? – Ryan Bolger Jul 25 '16 at 17:55
  • 1
    I was getting **Invalid argument** using all methods until I've re-imported certificate _including_ private keys. Simple mistake. – toffitomek Jan 12 '17 at 11:50
  • 2
    Me again :D I'm getting that "Invalid parameter" error in Powershell too when running `wmic`. Just seen the note at the bottom. **Make sure the cert is in the Personal store too.** Mine was in the Web Hosting store this time... – Sethi Jan 31 '17 at 10:46
  • You can use SHA256 or other certificates, but the **thumbprint is SHA1**. Make sure you don't confuse serial number and thumbprint. PS. Tested the command prompt version on Windows Server 2016. – arni May 22 '17 at 11:13
  • Me again, again. I had a script running this after renewing my Let's Encrypt certificates... It was working well for a long time -- now I'm getting `Security negotiation Error: CredSSPRequired(5)` when trying to connect and am now locked out -- anyone else received this error? – Sethi May 13 '18 at 18:38
  • https://go.microsoft.com/fwlink/?linkid=866660 – Ryan Bolger May 13 '18 at 22:19
5

If you getting "Invalid Parameter" when you trying Ryan's solution, make sure you are using elevated command prompt (run as administrator).

David Literak
  • 69
  • 1
  • 1
0

You need your domain.pfx & the fingerprint in a txt file SSLCertificateSHA1Hash.txt.

Then run this in CMD:

pushd %~dp0
cls
::FreeSoftwareServers.com

certutil.exe -p "" -importpfx "%~dp0domain.pfx"
set /p FingerPrint=<"%~dp0SSLCertificateSHA1Hash.txt"
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="%FingerPrint%"
icacls.exe "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" /grant "NETWORK SERVICE":R
shutdown /r /t 5
FreeSoftwareServers
  • 571
  • 1
  • 6
  • 25