Replacing Self-Signed certificates
We have discovered a lot of certificates on servers as well as workstations that seem to be self-signed and also seem to be generated by some automated process. We have confirmed that Group Policy is NOT triggering any of these certificates. I have a project to replace ALL self-signed certificates with ones created from our Internal PKI.
The major number of server certificates are either port 3389 or 443:
The 3389 certificates (around 1500):
1. These are “all’ self-signed (the Issuer and the Subject are the same) and validity period is 6 months and they are ‘all’ valid (meaning not expired).
2. Does windows create these certificates ? What process triggers the creation of these Remote Desktop Service certificates ?
3. Where are they stored ? I can’t find them. Will they be in the Computer or User store on the server ?
4. What purpose do they serve ? Can I delete them since they are self-signed ? We are trying to replace all our self-signed certs with ones generated from our Internal PKI.
The 443 certificates (around 1200):
1. The majority of these are also self-signed.
2. They have expiration dates in 2024, 2036, 2049 etc.
3. The issuer has mostly to do with ‘vmware engineering’ or something else that has to do with vmware. Is the VMWare creating these certificates ?
4. How do I remediate (delete\re-issue) these ? I can’t revoke any of them because they are self-signed.
5. The expiration date is in the future, but how do I know for sure if the certificate is actually being used ?
Thank you. Mona.
The major number of server certificates are either port 3389 or 443:
The 3389 certificates (around 1500):
1. These are “all’ self-signed (the Issuer and the Subject are the same) and validity period is 6 months and they are ‘all’ valid (meaning not expired).
2. Does windows create these certificates ? What process triggers the creation of these Remote Desktop Service certificates ?
3. Where are they stored ? I can’t find them. Will they be in the Computer or User store on the server ?
4. What purpose do they serve ? Can I delete them since they are self-signed ? We are trying to replace all our self-signed certs with ones generated from our Internal PKI.
The 443 certificates (around 1200):
1. The majority of these are also self-signed.
2. They have expiration dates in 2024, 2036, 2049 etc.
3. The issuer has mostly to do with ‘vmware engineering’ or something else that has to do with vmware. Is the VMWare creating these certificates ?
4. How do I remediate (delete\re-issue) these ? I can’t revoke any of them because they are self-signed.
5. The expiration date is in the future, but how do I know for sure if the certificate is actually being used ?
Thank you. Mona.
With all that said, one option is to setup an internal CA if certificate validity is the issue.
VMware also uses self-signed certs for hosts...
Having certificates they could be of different type, function.
My suggestion is define what it is you want to achieve and then work towards it.
As noted, in a Windows, you can setup one VM root CA that is mostly off. Two VMs that have issuing Certificate CA whose certificate is signed by the root.
The root CA could be valid for 5-10, issuing CAs 3-5 and clients will get certs up to 2 years..
....
Re question where, depends on type, system certs are in the computer store. User based certs are in the user store.
It is rare, though possible that a service could have a cert in its store.
VMware also uses self-signed certs for hosts...
Having certificates they could be of different type, function.
My suggestion is define what it is you want to achieve and then work towards it.
As noted, in a Windows, you can setup one VM root CA that is mostly off. Two VMs that have issuing Certificate CA whose certificate is signed by the root.
The root CA could be valid for 5-10, issuing CAs 3-5 and clients will get certs up to 2 years..
....
Re question where, depends on type, system certs are in the computer store. User based certs are in the user store.
It is rare, though possible that a service could have a cert in its store.
ASKER
Hi Hemil/Arnold,
I cannot get the Certificates Snap-in to show the Certificates (Local Computer) on workstations. I don't even get the dialog to select 'Local Computer'. It only shows Certificates (Current User). I can get to Certificates (Local Computer) only on servers, not workstations. Why is that ?
We already have an Internal PKI and we do have GPO set up to auto-enroll Workstation Authentication (Server Authentication, Client Authentication), Server Authentication (Client Authentication, Server Authentication) and RemoteDesktopAuthenticatio
As for the VMware certificates, I want to create certificates from our internal PKI and replace the ones that VMWare has created and once this in place, how do I stop VMWare from creating any more self-signed certificates ?
Thanks. Mona.
I cannot get the Certificates Snap-in to show the Certificates (Local Computer) on workstations. I don't even get the dialog to select 'Local Computer'. It only shows Certificates (Current User). I can get to Certificates (Local Computer) only on servers, not workstations. Why is that ?
We already have an Internal PKI and we do have GPO set up to auto-enroll Workstation Authentication (Server Authentication, Client Authentication), Server Authentication (Client Authentication, Server Authentication) and RemoteDesktopAuthenticatio
As for the VMware certificates, I want to create certificates from our internal PKI and replace the ones that VMWare has created and once this in place, how do I stop VMWare from creating any more self-signed certificates ?
Thanks. Mona.
run mmc
once in, file add/remove snapins and then go to the certficates you may need to run mmc as administrator
you might be hitting a saved certificate.mmc that was created for the user only.
I think that is an option on the vmware host to generate a CSR
See the following includes topics for vsphere and other ......
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-B30DB07E-C819-4730-A60A-21D05026E052.html
once in, file add/remove snapins and then go to the certficates you may need to run mmc as administrator
you might be hitting a saved certificate.mmc that was created for the user only.
I think that is an option on the vmware host to generate a CSR
See the following includes topics for vsphere and other ......
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-B30DB07E-C819-4730-A60A-21D05026E052.html
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Yes, every time a user connects via the RDP window create a self-signed certificate for RDP use.
Certificate store Run/mmc - add a new snap and then select certicates.
Every time a user tries to connect to HTTPS or RDP it gets generated, I dont know why you have so many, but you can delete them all.
Right click and select delete or related. Same with Revoke.
Any self-signed certificate can be deleted and created just make sure which one you delete. Simple.
cheers,