Using CA signed certificate for Vista Remote Desktop

M

Matt

I've just learned about StartSSL and though I'd try to get a TLS
certificate that I can use to authenticate and set up encryption on my
Vista Business Remote Desktop Server. I see that it automatically
generates a self-signed certificate. I've tried to generate a
certificate and private key with StartSSL, but I can't find an option
to make Vista use them. (Right now I have the public certificate
imported, but don't see an option to import the private key as well).
I'd also appreciate if someone could point me to some documentation on
how to do this with Server 2003 as well.
 
S

Silvia Doomra [MSFT]

This is the reply I got from one of my colleague:
Hmm.. "Vista Business Remote Desktop Server" is it a server or client SKU?
Also, I don't know what StartSSL is, some tool for creating certificates?

In general to be suitable for use with Remote Desktop the a certificate
should have the following characteristics:
1. It needs to be installed, along with its private key, into the local
computer's (not user's) "Personal" (My) certificate store.
2. The EKU must be either "Server Authentication" or
"1.3.6.1.4.1.311.54.1.2" (a special TS EKU).
3. It should not be expired (obviously).

On server SKUs you can use tsconfig.msc to select the certificate. Note:
tsconfig will only allow you to select usable certificates (see criteria
above).
On client SKUs you can put the thumbprint of the certificate directly into
the registry as a "SSLCertificateSHA1Hash" binary value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp]
"SSLCertificateSHA1Hash"=hex:65,53,29,d2,56,fb,f0,2a,d6,75,d9,08,61,2d,72,36,9c,26,5c,71
(the value is just an example).

To be able to import a certificate's private key, it must be exported
together with its private key.
And, as far as I know, you can only export private key of a certificate
created with an exportable private key in the first place.

Thx,
Sergey.


"Matt" wrote in message
news:26971083-2dda-475e-8bcb-604ffc393100@m38g2000yqd.googlegroups.com...
> I've just learned about StartSSL and though I'd try to get a TLS
> certificate that I can use to authenticate and set up encryption on my
> Vista Business Remote Desktop Server. I see that it automatically
> generates a self-signed certificate. I've tried to generate a
> certificate and private key with StartSSL, but I can't find an option
> to make Vista use them. (Right now I have the public certificate
> imported, but don't see an option to import the private key as well).
> I'd also appreciate if someone could point me to some documentation on
> how to do this with Server 2003 as well.
 
You must log in or register to reply here.

Similar threads

D
WE get a certificate error when logging in with remote desktop
Replies
0
Views
67
Doug Poulin (dougp)
D
D
OpenSSL Certificates used for NPS EAP - Reason Code 295 (CA certificates is not trusted by the policy provider)
Replies
0
Views
43
Dave Baddorf
D
A
An invalid [self-signed] CA certificate exists on Windows 10 Pro, but PowerShell/certmgr.msc/certutil.exe tools can't find it so it can be deleted.
Replies
0
Views
88
arinbiorn
A
S
SSL Certificate Signed Using Weak Hashing Algorithm
Replies
0
Views
241
Sandeep Kumar Reddy Lingampalli
S
B
  • Article
Announcing Windows 11 Insider Preview Build 25992 (Canary Channel)
Replies
0
Views
76
Brandon LeBlanc
B
Back
Top Bottom