Windows RDP Service 使用正式憑證

Windows RDP Service using Signed Certificate

1. 產生憑證

   • $openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key 

   • PS1: 我習慣在非 Windows 的機器上產憑證，所以這部分請自行想辦法找 openssl 來執行
   • PS2: 注意！請不要使用任何線上網站來進行產生 Key 的步驟！
2. 簽署憑證
   1. 使用 Let's Encrypt(90天) or Comodo Trial SSL(90天) or Buy One.
   2. 拿到正式憑證的 FQDN.crt 及 CA_bundle.crt (中繼憑證)
   3. 將 PEM 格式換成 pkcs12 以便餵入 Windows

      • $openssl pkcs12 -export -out FQDN.pfx -inkey FQDN.key -in FQDN.crt -certfile CA_bundle.crt

      • 輸入個密碼保護一下
3. 放置憑證至 Windows
   1. 開始 → cmd → mmc → 新增/移除嵌入式管理單元 → 憑證 → 新增
   2. 電腦帳戶 → 本機電腦 → 完成 → 確定
   3. 憑證(本機電腦) → 個人 → 憑證
   4. 動作 → 所有工作 → 匯入
   5. 匯入成功後 → FQDN 點二下打開憑證內容 → 憑證指紋 → 複製該值 (EX: ‎ec 97 5c c9 95 4a 45 2b 1f 03 0d b3 32 18 b2 ae 86 0d ca 22)
   6. 清除所有空格後待用(ec975cc9954a452b1f030db33218b2ae860dca22)
4. 註冊憑證至 RDP 服務
   1. 開始 → 搜尋 → cmd → 命令提示字元 → 使用管理員身分執行

   2. C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ec975cc9954a452b1f030db33218b2ae860dca22"

   3. 完成註冊後應該會顯示

      正在更新 '\\PCNAME\root\cimv2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"' 的屬性
      屬性更新成功。

   4. 接下來甚麼事都不用做 RDP 就會使用新憑證了。惱人的憑證問題視窗就再也不會出現了。

1. Create a CSR (also including private key)

   • $openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key 

   • PS: I usually generate key using unix-like os to do that. Please find the openssl to do so.
   • PS2: Caution! DO NOT USED ANY ONLINE WEB SITE TO DO THIS SETP!
2. Sign the Certificate
   1. Using Let's Encrypt(90 days) or Comodo Trial SSL(90 days) or Buy One.
   2. Get the signed certificate file: FQDN.crt and CA_bundle.crt (Intermediate Certificate)
   3. Change certificate format from PEM to pkcs12 for feeding to Windows

      • $openssl pkcs12 -export -out FQDN.pfx -inkey FQDN.key -in FQDN.crt -certfile CA_bundle.crt

      • Enter password for protect file
3. Put certificate into Windows
   1. Start → Search → cmd → mmc → Add/Remove Snap-in → Certificates → Add >
   2. Computer account → Local Computer → Finish → OK
   3. Certificates(Local Computer) → Personal → Certificates
   4. All task → Import…
   5. After import → FQDN Double-click to open certificate → Thumbprint → Copy value (EX: ‎ec 97 5c c9 95 4a 45 2b 1f 03 0d b3 32 18 b2 ae 86 0d ca 22)
   6. Remove all spaces (ec975cc9954a452b1f030db33218b2ae860dca22)
4. Register Certificate to RDP Service
   1. Start → Search → cmd → Command Prompt → Run as administrator

   2. C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ec975cc9954a452b1f030db33218b2ae860dca22"

   3. After success registered

      Updating '\\PCNAME\root\cimv2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"' Attribute
      Attributes update success.

   4. You do not do anything in following. RDP already using new certificate to serve. No annoying message anymore.