We help IT Professionals succeed at work.

Certificates for Logging onto remote desktop

Doug Poulin
Doug Poulin used Ask the Experts™
on
I get this error whenever I try to log on to our remote desktop (windows 2008).
The remote computer could not be authenticated due to problems with its security certificate.

Now the certificate is a self signed on for the server, and I want to replace it with a "Real" one.  I know how to purchase a certificate, and install it for our LInux web server.  I've looked at the certificate store mmc snap-in, but I'm not real sure what to do (or where to do it) to install a certificate to resolve this error.

Anyone with a Windows box can tick a checkbox to allow them to ignore this error, but the Mac world does not, and 40% of our clients are running Mac's.

If anyone has step by step instructions, or a link to a real good guide for this, I would appreciate it.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
All you need is to create a certificate request anywhere (meaning on any server) for the name you want to use for this server (i.e. my2008.yourcompany.com). Once you have the request, get it issued by a third party well known authority (Verisign, Entrust, RapidSLL, whatever) and then install on the server you created the request for it.
Once that is done, EXPORT it with the private key and then simply import it on the 2008 box.
Finally launch the TS/RDS Session Host Configuration tool and on the RDP-tcp listener select the new certificate you just imported.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP

Author

Commented:
I'm waiting for a window where I can get access to the machine long enough to install the certificates.  Should be within the next week.  I will assign points once I've proved that it works.

Author

Commented:
Ok, I'm ready but now need more guidance.  I've got the certificate mmc snap-in open.  I've asked to manage certificates for a service.  I've picked Remote desktop services.  Now I'm ready to import but I'm not sure which section to import it into.  I think personal would be the right choice, but it could also be enterprise trust.  Which one do I use?

Author

Commented:
Ran through it again on my second remote desktop server.  I chose pick the location based on certificate type, but although it said it imported the certificate, it doesn't show up anywhere in my certificate store.  Would it have put it into a different service like IIS instead?  We don't run a web server on this machine.

Author

Commented:
After installing the certificates, I'm still getting the following error.  What next?
certificate.jpg

Author

Commented:
when I go to the Remote desktop session host configuration, RDP-Tcp and try to select a different certificate, it comes back saying there are no certificates installed.  So I imply from this that I've imported the certificates to the wrong service.  So what is the right service to apply when running the mmc certificate snap-in?

Author

Commented:
This is beginning to feel like a blog.  I figured out that you had to run the snap-in against the computer (not the service).  This allowed me to find the existing self signed  certificate.  I've imported the new authentic certificate, but when I go to the RDP-tcp properties and click on the select button for a certificate, it comes back saying there are not certificates installed on this Remote desktop Session Host server.  Do I have to re-boot or re-start the RDP service in order to see the new certificates?
Your issue is simple. When you export the certificate from the machine where the request was created, you MUST export the private key with it (as I stated on my first post). If you do NOT export with the private key you can certainly import it on the RDS but it will NEVER show up as a certificate that can be used.
Once you do it properly, there is no need for a reboot of any sort. The certificate will simply show up there and you will be able to select it for the RDP-tcp listener.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP

Author

Commented:
Thanks.  We're mostly a Linux shop so when we generate a certificate we end up with two separate files.  One for the certificate and one for the RSA key.  Under windows I'm not sure the format or filename conventions that would be needed.  I put the RSA key in a separate file ending in .key, but that didn't work.  I've tried appending the key to the bottom of the certificate file, but that doesn't appear to work either.

So I still need a bit more help.

Author

Commented:
I followed a thread from another question and ran the following command:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

I took the certificate.pfx file and put it on the Windows server.  When I ran the import, it asked for the password for the private key, which I entered.  It then said the import was successful.  The certificate shows up in the certificate  snap in under (console root\certificates (local coomputer)\Remote Desktop\Certificates).  when I open the certificate it says I have a private key associated with the certificate.  But, alas, remote desktop session host configuration still says there are no certificates defined.

So what next?
Commented:
with a little more digging and trial and error I got it working.   It turns out that the key has to be put into the following location.

Certificates( Local Computer)\Personal\Certificates.

You need to be logged in as the administrator.  If you import the .pfx file into here, then it will show up in the Remote desktop session host server.

Author

Commented:
While his answer was technically correct, it contained so little detail that it required a whole lot more digging and trial and error in order for the problem to get resolved.