這是本文件的舊版!


Windows RDP Service 使用正式憑證

記錄一下步驟

  1. 產生憑證
    • $openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key 
    • PS1: 我習慣在非 Windows 的機器上產憑證,所以這部分請自行想辦法找 openssl 來執行
    • PS2: :!: 注意!請不要使用任何線上網站來進行產生 Key 的步驟!
  2. 簽署憑證
    1. 拿到正式憑證的 FQDN.crt 及 CA_bundle.crt (中繼憑證)
    2. 將 PEM 格式換成 pkcs12 以便餵入 Windows
      • $openssl pkcs12 -export -out FQDN.pfx -inkey FQDN.key -in FQDN.crt -certfile CA_bundle.crt
      • 輸入個密碼保護一下
  3. 放置憑證至 Windows
    1. 開始 → cmd → mmc → 新增/移除嵌入式管理單元 → 憑證 → 新增
    2. 電腦帳戶 → 本機電腦 → 完成 → 確定
    3. 憑證(本機電腦) → 個人 → 憑證
    4. 動作 → 所有工作 → 匯入
    5. 匯入成功後 → FQDN 點二下打開憑證內容 → 憑證指紋 → 複製該值 (EX: ‎ec 97 5c c9 95 4a 45 2b 1f 03 0d b3 32 18 b2 ae 86 0d ca 22)
    6. 清除所有空格後待用(ec975cc9954a452b1f030db33218b2ae860dca22)
  4. 註冊憑證至 RDP 服務
    1. 開始 → 搜尋 → cmd → 命令提示字元 → 使用管理員身分執行
    2. C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ec975cc9954a452b1f030db33218b2ae860dca22"
    3. 完成註冊後應該會顯示
      正在更新 '\\PCNAME\root\cimv2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"' 的屬性
      屬性更新成功。
    4. 接下來甚麼事都不用做 RDP 就會使用新憑證了。惱人的憑證問題視窗就再也不會出現了。
  1. Create a CSR (also including private key)
    • $openssl req -new -newkey rsa:4096 -nodes -sha256 -out FQDN.sha256.csr -keyout FQDN.key 
    • PS: I usually generate key using unix-like os to do that. Please find the openssl to do so.
    • PS2: :!: Caution! DO NOT USED ANY ONLINE WEB SITE TO DO THIS SETP!
  2. Sign the Certificate
    1. Get the signed certificate file: FQDN.crt and CA_bundle.crt (Intermediate Certificate)
    2. Change certificate format from PEM to pkcs12 for feeding to Windows
      • $openssl pkcs12 -export -out FQDN.pfx -inkey FQDN.key -in FQDN.crt -certfile CA_bundle.crt
      • Enter password for protect file
  3. Put certificate into Windows
    1. Start → Search → cmd → mmc → Add/Remove Snap-in → Certificates → Add >
    2. Computer account → Local Computer → Finish → OK
    3. Certificates(Local Computer) → Personal → Certificates
    4. All task → Import…
    5. After import → FQDN Double-click to open certificate → Thumbprint → Copy value (EX: ‎ec 97 5c c9 95 4a 45 2b 1f 03 0d b3 32 18 b2 ae 86 0d ca 22)
    6. Remove all spaces (ec975cc9954a452b1f030db33218b2ae860dca22)
  4. Register Certificate to RDP Service
    1. Start → Search → cmd → Command Prompt → Run as administrator
    2. C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ec975cc9954a452b1f030db33218b2ae860dca22"
    3. After success registered
      Updating '\\PCNAME\root\cimv2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"' Attribute
      Attributes update success.
    4. You do not do anything in following. RDP already using new certificate to serve. No annoying message anymore.