Skygod68
asked on
Windows 2008r2 RDP Self Signed Certificate Replacement
Background:
I work as a Army DoD contractor server administrator. I received an Assured Compliance Assessment Solution (ACAS) hit for Plugin: SSL Self-Signed Certificate (57582). ACAS tool automatically identifies configuration vulnerabilities that could threaten the security of the DoD's computer systems. The server is a physical Window 2008r2 server. It is just running Backup Exec on it. The only place where I found a self signed cert is under:
mmc/certificate/computer/r emote desktops/certificate
It's the certificate that is created when you first join the server to the domain. When you first RDP into the server, it always ask if you want to accept the cert.
I tried to remediate it by RDP into a different server that has IIS on it.
IIS 7:
1. Run inetmgr
2. Click on the Server
3. Double click on Server Certificates
4. From the Actions menu: click on Create Certificate Request
This request will generate a file named certreq.txt
I then send that to DoD and they generate a key for me.
I then take that key and:
1. Run inetmgr
2. Click on the Server
3. Double click on Server Certificates
4. From the Actions menu: click on Complete Certificate Request
Then I exported the cert so I could install it on the server I needed to remediate.
I installed the certificate on the server with the ACAS hit. I put it in mmc/certificate/computer/r emote desktops/certificate and placed the self-signed certificate in untrusted certificates. I then logged out of the server to verify the new certificate worked. When I first tried to RDP back into the server, it would not let me because it could not find the cert. I tried again after 30 seconds and it allowed me to log in but It was using the self signed cert again. I looked back in mmc/certificate/computer/r emote desktops/certificate and it regenerate the same self signed cert. I verified this because the original cert that I placed in untrusted certificates was still there.
I even tried to go to Administrative Tools | Remote Desktop Services | Desktop Session Host Configuration
1. Right click the Connection
2. Select Properties
3. Click the General tab
4. Clicked Select right under Certificate, ( I got a popup that said, There are no certificates Remote Desktop Session Host Server.
So, the question is how do I get rid of the self signed cert and use the new cert I created for it. Do I need to install IIS on that server even though it is not a web server?
I work as a Army DoD contractor server administrator. I received an Assured Compliance Assessment Solution (ACAS) hit for Plugin: SSL Self-Signed Certificate (57582). ACAS tool automatically identifies configuration vulnerabilities that could threaten the security of the DoD's computer systems. The server is a physical Window 2008r2 server. It is just running Backup Exec on it. The only place where I found a self signed cert is under:
mmc/certificate/computer/r
It's the certificate that is created when you first join the server to the domain. When you first RDP into the server, it always ask if you want to accept the cert.
I tried to remediate it by RDP into a different server that has IIS on it.
IIS 7:
1. Run inetmgr
2. Click on the Server
3. Double click on Server Certificates
4. From the Actions menu: click on Create Certificate Request
This request will generate a file named certreq.txt
I then send that to DoD and they generate a key for me.
I then take that key and:
1. Run inetmgr
2. Click on the Server
3. Double click on Server Certificates
4. From the Actions menu: click on Complete Certificate Request
Then I exported the cert so I could install it on the server I needed to remediate.
I installed the certificate on the server with the ACAS hit. I put it in mmc/certificate/computer/r
I even tried to go to Administrative Tools | Remote Desktop Services | Desktop Session Host Configuration
1. Right click the Connection
2. Select Properties
3. Click the General tab
4. Clicked Select right under Certificate, ( I got a popup that said, There are no certificates Remote Desktop Session Host Server.
So, the question is how do I get rid of the self signed cert and use the new cert I created for it. Do I need to install IIS on that server even though it is not a web server?
ASKER
There is something wrong with that site. It keeps locking up my computer every time I go to it.
Strange, seems to work fine on the systems I've tried it on. Here's the general information provided:
It is necessary to install the certificate on all of the RD Session Host servers manually. This is because there is no way to do this using the Server Manager GUI, and the certificate is not applied to session host servers automatically when configuring the certificates on the other roles.
Open the MMC and open the Certificates snapin
Add the Local Computer
Import the certificate into Computer\Personal
Open the certificate and find the thumbprint on the details tab. Copy the thumbprint to notepad and delete all the spaces.
Open up an elevated PowerShell prompt and write:
wmic /namespace:\\root\cimv2\TerminalServ ices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”P ASTE_THUMB PRINT_STRI NG”
You can check the certificate by running:
Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After researching for countless days, I found the best way to fix my issue is what I stated. There might be an easer way but I have not found it and my solution did remediate the servers I implemented this on.
The following link describes how to install the certificate for use by RDP sessions: http://www.msdonkey.com/server/install-and-configure-a-remote-desktop-certificate-on-rd-session-host-servers/