J
JWEllis
I have run into an issue with replacing a Self-Signed Certificate on a Workgroup server for RDP authentication purposes. Nessus Plugin numbers 42873, 51192, 57582, 65821, 83875 are all related to this effort.
OS: Windows Server 2012 R2 Datacenter, 1TB RAM, 64 CPUs
Domain: Workgroup
No IIS, Webpage, etc. are installed on this workgroup server. Its only role is that of a Hyper-V Host Server
Working with the client, who has an internal CA, I obtained a Certificate for Server Authentication Purposes to replace the Self-Signed Certificate generated by the OS automatically. I have successfully imported the client provided Certificate into the Certificates (Local Computer) --> Personal --> Certificates location.
I copied out the thumbprint for the new certificate to use in the following commands.
PowerShell
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="ThumbprintValue"}
Admin CMD Window
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ThumbprintValue"
C:\Windows\system32>wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ThumbprintValue"
Updating property(s) of '\\Server\root\cimv2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"
'
Property(s) update successful.
Despite what appears to have been a successful import and registry change when I attempt to RDP to the workgroup server I still am presented with the OS Self-Signed Certificate vice the imported certificate. The imported certificate is signed with SHA256 RA algorithm & Signature hash algorithm of SHA256.
I was wondering if the registry setting should be modified from SSLCertificateSHA1Hash to SSLCertificateSHA256Hash since the certificate is signed using SHA256. Additionally, what is the method to suppress the generation of Self-Signed certificates on a 2012 R2 Workgroup server?
Any guidance that can be provided is greatly appreciated.
Jerry Ellis
Continue reading...
OS: Windows Server 2012 R2 Datacenter, 1TB RAM, 64 CPUs
Domain: Workgroup
No IIS, Webpage, etc. are installed on this workgroup server. Its only role is that of a Hyper-V Host Server
Working with the client, who has an internal CA, I obtained a Certificate for Server Authentication Purposes to replace the Self-Signed Certificate generated by the OS automatically. I have successfully imported the client provided Certificate into the Certificates (Local Computer) --> Personal --> Certificates location.
I copied out the thumbprint for the new certificate to use in the following commands.
PowerShell
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="ThumbprintValue"}
Admin CMD Window
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ThumbprintValue"
C:\Windows\system32>wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ThumbprintValue"
Updating property(s) of '\\Server\root\cimv2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"
'
Property(s) update successful.
Despite what appears to have been a successful import and registry change when I attempt to RDP to the workgroup server I still am presented with the OS Self-Signed Certificate vice the imported certificate. The imported certificate is signed with SHA256 RA algorithm & Signature hash algorithm of SHA256.
I was wondering if the registry setting should be modified from SSLCertificateSHA1Hash to SSLCertificateSHA256Hash since the certificate is signed using SHA256. Additionally, what is the method to suppress the generation of Self-Signed certificates on a 2012 R2 Workgroup server?
Any guidance that can be provided is greatly appreciated.
Jerry Ellis
Continue reading...