Page tree

Welcome to FreeSoftwareServers Confluence Wiki

Skip to end of metadata
Go to start of metadata

My SSL Certs come in the form of a bundle and a cert and I have a key. I obviously have Linux VM's around to use openssl so that is what I use to create a bundle/key in Windows pfx format.

Make a directory to work in and move the 3 files into it:

domain.ca-bundle  domain.crt  domain.key 

Create pfx format key:

sudo openssl pkcs12  -export -out domain.pfx -inkey *.key -in *.crt -certfile *.ca-bundle

Export SSLCertificateSHA1Hash/FingerPrint to TXT File:

openssl x509 -in *.crt -noout -fingerprint | sed -e 's/SHA1 Fingerprint=//g' | sed -e 's/://g' | tr '[:upper:]' '[:lower:]' > SSLCertificateSHA1Hash.txt
cat SSLCertificateSHA1Hash.txt

Import Cert to Windows (Open Elevated CMD Prompt):

  • Can't use wildcards to define pfx file
  • Update -p "" if using PWD
certutil.exe -p "" -importpfx C:\domain.pfx NoExport

Now add SSLCertificateSHA1Hash to to RDP-Tcp:

set /p FingerPrint=<C:\SSLCertificateSHA1Hash.txt
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="%FingerPrint%"

You will need to add the user "Network Service" w/ "Read Only" permissions now:

icacls.exe "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" /grant "NETWORK SERVICE":R

Reboot Host:

shutdown /r /t 5

Once Tested Here is Final Script:

pushd %~dp0
cls
::FreeSoftwareServers.com

certutil.exe -p "" -importpfx "%~dp0FreeSoftwareServers.pfx" NoExport
set /p FingerPrint=<"%~dp0SSLCertificateSHA1Hash.txt"
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="%FingerPrint%"
icacls.exe "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" /grant "NETWORK SERVICE":R
pause
shutdown /r /t 5

Sources:

https://superuser.com/questions/1093159/how-to-provide-a-verified-server-certificate-for-remote-desktop-rdp-connection/1093160#1093160
https://serverfault.com/questions/444286/configure-custom-ssl-certificate-for-rdp-on-windows-server-2012-in-remote-admini
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
https://support.microsoft.com/en-gb/help/2001849/how-to-force-remote-desktop-services-on-windows-7-to-use-a-custom-serv

https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server
https://docs.microsoft.com/en-us/windows/win32/winhttp/winhttpcertcfg-exe--a-certificate-configuration-tool
https://blogs.technet.microsoft.com/operationsguy/2010/11/29/provide-access-to-private-keys-commandline-vs-powershell/
https://stackoverflow.com/questions/1678584/winhttpcertcfg-giving-access-to-iis-user-in-windows-7

https://serverfault.com/questions/979400/grant-network-service-read-only-permissions-to-cert-for-rdp-via-batch

  • No labels