差異處
這裏顯示兩個版本的差異處。
最後一次修改 Both sides next revision | |||
microsoft:rdp_certificate [2017/05/27 17:29] jal 建立 |
microsoft:rdp_certificate [2017/05/27 18:04] jal |
||
---|---|---|---|
行 5: | 行 5: | ||
- 產生憑證 | - 產生憑證 | ||
* <code cmd>$openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key </code> | * <code cmd>$openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key </code> | ||
- | * PS: 我習慣在非 Windows 的機器上產憑證,所以這部分請自行想辦法找 openssl 來執行 | + | * PS1: 我習慣在非 Windows 的機器上產憑證,所以這部分請自行想辦法找 openssl 來執行 |
+ | * PS2: :!: 注意!請不要使用任何線上網站來進行產生 Key 的步驟! | ||
- 簽署憑證 | - 簽署憑證 | ||
- | - 使用 Let's Encrypt or Comodo Trial SSL or Buy One. | + | - 使用 [[https://letsencrypt.org/|Let's Encrypt(90天)]] or [[https://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php|Comodo Trial SSL(90天)]] or Buy One. |
- 拿到正式憑證的 FQDN.crt 及 CA_bundle.crt (中繼憑證) | - 拿到正式憑證的 FQDN.crt 及 CA_bundle.crt (中繼憑證) | ||
- 將 PEM 格式換成 pkcs12 以便餵入 Windows | - 將 PEM 格式換成 pkcs12 以便餵入 Windows | ||
行 20: | 行 21: | ||
- 清除所有空格後待用(ec975cc9954a452b1f030db33218b2ae860dca22) | - 清除所有空格後待用(ec975cc9954a452b1f030db33218b2ae860dca22) | ||
- 註冊憑證至 RDP 服務 | - 註冊憑證至 RDP 服務 | ||
- | - 開始 -> cmd -> 使用管理員身分執行 | + | - 開始 -> 搜尋 -> cmd -> 命令提示字元 -> 使用管理員身分執行 |
- | - <code cmd>C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2e8921bd451996df86fe47dbd4c9868ec0388cb"</code> | + | - <code cmd>C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ec975cc9954a452b1f030db33218b2ae860dca22"</code> |
- 完成註冊後應該會顯示<code>正在更新 '\\PCNAME\root\cimv2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"' 的屬性 | - 完成註冊後應該會顯示<code>正在更新 '\\PCNAME\root\cimv2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"' 的屬性 | ||
屬性更新成功。</code> | 屬性更新成功。</code> | ||
行 27: | 行 28: | ||
+ | ===== Step ===== | ||
+ | - Create a CSR (also including private key) | ||
+ | * <code cmd>$openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key </code> | ||
+ | * PS: I usually generate key using unix-like os to do that. Please find the [[https://www.openssl.org/|openssl]] to do so. | ||
+ | * PS2: :!: Caution! DO NOT USED ANY ONLINE WEB SITE TO DO THIS SETP! | ||
+ | - Sign the Certificate | ||
+ | - Using [[https://letsencrypt.org/|Let's Encrypt(90 days)]] or [[https://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php|Comodo Trial SSL(90 days)]] or Buy One. | ||
+ | - Get the signed certificate file: FQDN.crt and CA_bundle.crt (Intermediate Certificate) | ||
+ | - Change certificate format from PEM to pkcs12 for feeding to Windows | ||
+ | * <code cmd>$openssl pkcs12 -export -out FQDN.pfx -inkey FQDN.key -in FQDN.crt -certfile CA_bundle.crt</code> | ||
+ | * Enter password for protect file | ||
+ | - Put certificate into Windows | ||
+ | - Start -> Search -> cmd -> mmc -> Add/Remove Snap-in -> Certificates -> Add > | ||
+ | - Computer account -> Local Computer -> Finish -> OK | ||
+ | - Certificates(Local Computer) -> Personal -> Certificates | ||
+ | - All task -> Import... | ||
+ | - After import -> FQDN Double-click to open certificate -> Thumbprint -> Copy value (EX: ec 97 5c c9 95 4a 45 2b 1f 03 0d b3 32 18 b2 ae 86 0d ca 22) | ||
+ | - Remove all spaces (ec975cc9954a452b1f030db33218b2ae860dca22) | ||
+ | - Register Certificate to RDP Service | ||
+ | - Start -> Search -> cmd -> Command Prompt -> Run as administrator | ||
+ | - <code cmd>C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ec975cc9954a452b1f030db33218b2ae860dca22"</code> | ||
+ | - After success registered <code>Updating '\\PCNAME\root\cimv2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"' Attribute | ||
+ | Attributes update success.</code> | ||
+ | - You do not do anything in following. RDP already using new certificate to serve. No annoying message anymore. |