Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Certificate for Remote Desktop using a Comodo Multi-domain certificate

Posted on 2013-12-27
9
Medium Priority
?
1,325 Views
Last Modified: 2014-02-19
I have UC certificate from Comodo which allows us to have certificates for a number of servers and domains included in one file.

This works well on our Apache web server (Linux server).  I want to use the same certificate in Remote desktop under windows 2012.  I've exported it as a .pfx file and told remote desktop to use this certificate.

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

 The problem I have as that when people connect they get a certificate error message that says the server name in the certificate is wrong.  It picks the first server name in the certificate and display that name.  It doesn't appear to understand that it's elsewhere in the certificate.

Not sure how to fix this.  Is there a way to create the pfx file with just the hostname that I need?  Would it work if I used the certificate and not a pfx file?
0
Comment
Question by:geekdad1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 39742390
if its not a wildcard cert like *.domainname.com

this certificate to work properly would have to be a SAN cert

does it have  Subject Alternative Name (SAN) control?


http://www.digicert.com/subject-alternative-name.htm

how to request san cert on windows

http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx

is the problematic clients with cert errors windows 2003 servers?

if so read that

http://support.microsoft.com/kb/931351

2003 doesn't support san out of the box
0
 
LVL 1

Author Comment

by:geekdad1
ID: 39742783
Turns out I needed to use a slightly different openssl command to generate the pfx file.

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile server.ca-bundle

I didn't originally get the bundle file, I had to request it.  Once I got it, then the procedure worked perfectly.
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 39742906
Brill you got it sorted
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:geekdad1
ID: 39746572
New question on same issue, if that's allowed.  I have another server 2012 server, that is our active directory server and we (admins) use remote desktop to get onto it.  So it's not part of the remote desktop server farm.  However I need to know where to install the certificate on it.  What I did in the past was use the certificate snapin, and import it into the personal/certificates section.  That doesn't seem to be correct.  Where do I install a certificate manually in this instance?
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 39747162
Into your COMPUTER/PERSONAL STORE on the server +  import the intermediary cert as well  

plus follow that

http://community.spiceworks.com/how_to/show/15809-dealing-to-the-annoying-certificate-errors-and-multiple-credential-requests-in-remote-desktop-services-2008-r2
0
 
LVL 1

Author Comment

by:geekdad1
ID: 39747278
I'm using the .pfx file that I setup for the other server (see above)
I have a bundle file that presumably helps with this problem and I used it when creating the .pfx file

I deployed the certificate on the actual remote desktop server and it works fine.  I just need to know how to deploy it manually for this server.

I read the link above, but alas it only applies to server 2008.  In 2012 they've removed the remote desktop host configuration utility.
0
 
LVL 14

Accepted Solution

by:
JAN PAKULA earned 2000 total points
ID: 39747949
0
 
LVL 1

Author Comment

by:geekdad1
ID: 39748623
Yes, it is part of the domain.  But this server will not be part of the RDS server pool.  I just need to get to it remotely using terminal services.  The fact that I get a certificate error is annoying but not critical to the operation, since only the admins will have access to this machine.  My preference is to keep it separated from the pool that the general public will use, so the above solution doesn't work in my case
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 39748738
Yup i know Microsoft shot itself in the leg doing that :)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question