差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

最後一次修改 Both sides next revision
microsoft:rdp_certificate [2017/05/27 17:29]
jal 建立 		microsoft:rdp_certificate [2017/05/27 18:04]
jal
行 5: 行 5:
   - 產生憑證   - 產生憑證
     * <code cmd>​$openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key </​code>​     * <code cmd>​$openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key </​code>​
-    * PS: 我習慣在非 Windows 的機器上產憑證,所以這部分請自行想辦法找 openssl 來執行+    * PS1: 我習慣在非 Windows 的機器上產憑證,所以這部分請自行想辦法找 openssl 來執行 
 +    * PS2: :!: 注意!請不要使用任何線上網站來進行產生 Key 的步驟!
   - 簽署憑證   - 簽署憑證
-    - 使用 Let's Encrypt or Comodo Trial SSL or Buy One.+    - 使用 ​[[https://​letsencrypt.org/​|Let's Encrypt(90天)]] ​or [[https://​www.comodo.com/​e-commerce/​ssl-certificates/​free-ssl-certificate.php|Comodo Trial SSL(90天)]] ​or Buy One.
     - 拿到正式憑證的 FQDN.crt 及 CA_bundle.crt (中繼憑證)     - 拿到正式憑證的 FQDN.crt 及 CA_bundle.crt (中繼憑證)
     - 將 PEM 格式換成 pkcs12 以便餵入 Windows     - 將 PEM 格式換成 pkcs12 以便餵入 Windows
行 20: 行 21:
     - 清除所有空格後待用(ec975cc9954a452b1f030db33218b2ae860dca22)     - 清除所有空格後待用(ec975cc9954a452b1f030db33218b2ae860dca22)
   - 註冊憑證至 RDP 服務   - 註冊憑證至 RDP 服務
-    - 開始 -> cmd -> 使用管理員身分執行 +    - 開始 ​-> 搜尋 ​-> cmd -> 命令提示字元 ​-> 使用管理員身分執行 
-    - <code cmd>​C:​\WINDOWS\system32>​wmic /​namespace:​\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="​e2e8921bd451996df86fe47dbd4c9868ec0388cb"</​code>​+    - <code cmd>​C:​\WINDOWS\system32>​wmic /​namespace:​\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="​ec975cc9954a452b1f030db33218b2ae860dca22"</​code>​
     - 完成註冊後應該會顯示<​code>​正在更新 '​\\PCNAME\root\cimv2\TerminalServices:​Win32_TSGeneralSetting.TerminalName="​RDP-Tcp"'​ 的屬性     - 完成註冊後應該會顯示<​code>​正在更新 '​\\PCNAME\root\cimv2\TerminalServices:​Win32_TSGeneralSetting.TerminalName="​RDP-Tcp"'​ 的屬性
 屬性更新成功。</​code>​ 屬性更新成功。</​code>​
行 27: 行 28:
  
  
 +===== Step =====
 +  - Create a CSR (also including private key)
 +    * <code cmd>​$openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key </​code>​
 +    * PS: I usually generate key using unix-like os to do that. Please find the [[https://​www.openssl.org/​|openssl]] to do so.
 +    * PS2: :!: Caution! DO NOT USED ANY ONLINE WEB SITE TO DO THIS SETP!
 +  - Sign the Certificate
 +    - Using [[https://​letsencrypt.org/​|Let'​s Encrypt(90 days)]] or [[https://​www.comodo.com/​e-commerce/​ssl-certificates/​free-ssl-certificate.php|Comodo Trial SSL(90 days)]] or Buy One.
 +    - Get the signed certificate file: FQDN.crt and CA_bundle.crt (Intermediate Certificate)
 +    - Change certificate format from PEM to pkcs12 for feeding to Windows
 +      * <code cmd>​$openssl pkcs12 -export -out FQDN.pfx -inkey FQDN.key -in FQDN.crt -certfile CA_bundle.crt</​code>​
 +      * Enter password for protect file
 +  - Put certificate into Windows
 +    - Start -> Search -> cmd -> mmc -> Add/Remove Snap-in -> Certificates -> Add >
 +    - Computer account -> Local Computer -> Finish -> OK
 +    - Certificates(Local Computer) -> Personal -> Certificates
 +    - All task -> Import...
 +    - After import -> FQDN Double-click to open certificate -> Thumbprint -> Copy value (EX: ‎ec 97 5c c9 95 4a 45 2b 1f 03 0d b3 32 18 b2 ae 86 0d ca 22)
 +    - Remove all spaces (ec975cc9954a452b1f030db33218b2ae860dca22)
 +  - Register Certificate to RDP Service
 +    - Start -> Search -> cmd -> Command Prompt -> Run as administrator
 +    - <code cmd>​C:​\WINDOWS\system32>​wmic /​namespace:​\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="​ec975cc9954a452b1f030db33218b2ae860dca22"</​code>​
 +    - After success registered <​code>​Updating '​\\PCNAME\root\cimv2\TerminalServices:​Win32_TSGeneralSetting.TerminalName="​RDP-Tcp"'​ Attribute
 +Attributes update success.</​code>​
 +    - You do not do anything in following. RDP already using new certificate to serve. No annoying message anymore.