Install a SSL Certificate into Remote Desktop / Terminal Server using MMC

How to Install a SSL Certificate into Remote Desktop / Terminal Server

The Certificate has expired or is not yet valid.


This little tech tidbit is for those who like to use terminal servers or remote desktop to logon to their servers.  I will explain how to install a trusted certificate into terminal services. The first thing you need to do is the get a SSL certificate as a Standard PEM. You can get free SSL from SSLForFree.com, you should download the certificate and then use SSL Shopper's conversion tool to convert it to PFX/PKCS#12 form.  

My advice is to use GlobalSign's AlphaSSL Standard Certificate, which will give you an X509 and a PKCS7.  As for generating a private key, see this How To Guide blog article.

Step 0: Use certlm.msc to request a new certificate.  Right Click on Personal->Certificates, and then choose "All Tasks" -> "Advanced Operations" -> "Create Custom Request" thru the pop up menus.  In the Certificate Enrollment's Custom Request, you are going to choose "Web Server" from the Templates, Request Format will be "PKCS #10", choose a key length of 2048, with SHA1, in the properties page, set the subject name as a "Common Name" and the Alternative name as DNS name, set a friendly name and description, in the private key section, set the CSP as RSA, keysize as 2048, make private key exportable, key type Exchange. Finally, create it. You will find the request in the Personal Certificates branch.  Finally export it out with a password as a .PFX file. Final step will be to convert it with the SSL Shopper's from PFX/PKCS#12 to Standard PEM, using the password you choose earlier.  Open the .PEM file in a text editor, and copy the Private Key section. Paste the key text into another text file. You will need this clear text key. to convert your newly gained certificate later on. 

Step 1 convert it from PEM to PKFS/12, using the sslshopper website converter 
 import the certificate, private key, and crt bundle, leave the password field blank. When finished converting you will find a file called certificate.pfx downloaded to your computer.  Save this file for the next steps.  

Certificate Conversion Window


Step 2 Open MMC, add the Certificates plugin, as Computer Account, or just run certlm.msc
Step 3 Import the new certificate into your Personal Store, using the certificate import wizard. You will see a dialog box with a browse button. Use it to find certificate.pfx from the previous step. Do not import the certificate.crt file because it has a passord and will cause wmic to throw an error later.

Import Wizard


Step 4 Import the certificate into the Personal Branch and leave it there.
Step 5 Use this magic command to assign this certificate to terminal services.
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="PUT-the-THUMB-print-HERE"

Open your new certificate, and then Get the thumbprint from the certificate. It will look like this:
‎3b a2 15 ac 85 a3 ee 56 9b 2e 55 73 de 22 55 29 cb d4 8a 05

Put the thumbprint without spaces in the following command below. Be sure to use PowerShell. you can also use cmd.exe as Administrator to run this command. You may have to convert it to upper case. wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="PUT-the-THUMB-print-HERE"  copy this command to a administrative command prompt or powershell and hit enter. It should say successful and will now use the certificate you choose.. If you see this error message:
ERROR:
Description = Invalid parameter
it means that your certificate requires a private key, it means that you converted it and entered a password. You may have imported the wrong certificate. Import the .PFX file, not the .CRT file. 
Repeat 

Step 3.  You need to leave that password blank.  And Import the correct file.  Plus you need to add a friendly name and description in the certificate manager.
Screenshots from the import a SSL certificate process

Part 2 - Using OpenSSL to Extract Private Key from Exported PFX

On newer servers such as window server 2022, the private key is not easy to extract. But openssl can get it for you.

Here's a great video that shows the process.

Comments

  1. Install A Ssl Certificate Into Remote Desktop / Terminal Server Using Mmc >>>>> Download Now

    >>>>> Download Full

    Install A Ssl Certificate Into Remote Desktop / Terminal Server Using Mmc >>>>> Download LINK

    >>>>> Download Now

    Install A Ssl Certificate Into Remote Desktop / Terminal Server Using Mmc >>>>> Download Full

    >>>>> Download LINK k4

    ReplyDelete

Post a Comment

Popular posts from this blog

Microsoft Visio 2010 Premium Product Keys

Mercedes Benz Diesel CDI EGR Emulator Circuit Diagrams

Fix: The Diagnostic Service Host service failed to start due to the following error. [ solved, no kidding ]