3
1
My Windows 7 desktop computer uses a self-signed certificate to identify its RDP host. So to prevent a man-in-the-middle attack, I have to manually verify the thumbprint the first time my RDP client connects. This isn't so bad if you only have to do it once, but the certificate expires every 6 months, and a new one (with a new random thumbprint) is automatically generated.
So I may be across town trying to connect to my RDP host when I'm warned that the host certificate has changed. I have no way to know if there is a MITM attack going on or if my computer has just generated a new certificate, and I can't safely verify the new thumbprint without physical access to the computer.
I think the easiest solution would be to have the RDP host generate certificates with a longer validity period, e.g. make the expiration date 10 years in the future, instead of 6 months. How can I accomplish this? Any alternative solutions to this problem?
David Chamberlain
Posted 2014-07-30T17:22:19.333
Reputation: 39
Why don't you just provide your own certificate. This might involve using different tools other then the default RDP client. – Ramhound – 2014-07-30T18:24:15.137
Does "self-signed" in this case mean that the certificate presented for RDP was used to sign itself? Or just that the system presenting the certificate was the one that signed the RDP cert? If the latter, and the signing certificate is actually different from the one presented for RDP and is static, then you can theoretically just trust the signing certificate. Otherwise, you'll need to build a more proper PKI - even if it's just one CA to make the one RDP cert. I've been meaning to toy around with this myself for awhile - just never gotten around to it. – Iszi – 2014-07-30T18:29:12.943