How to Replace Self-Signed RDP Certificate with CA-Signed Certificate on Windows Server 2012 R2


1 views

When enabling Remote Desktop on Windows Server 2012 R2 through Control Panel > System > Remote Settings, the system automatically generates a self-signed certificate in the Remote Desktop certificate store (Local Computer). This certificate:

  • Uses the server's NETBIOS name as CN
  • Lacks proper CA chain trust
  • Triggers security warnings in RDP clients

Before proceeding, ensure your certificate meets these requirements:

1. Subject Name or SAN matches the server's FQDN
2. Contains 'Server Authentication' EKU (OID 1.3.6.1.5.5.7.3.1)
3. Private key is marked as exportable (if needing to transfer)
4. Complete certificate chain is available

First import the certificate into the correct store:

# PowerShell command to import PFX
Import-PfxCertificate -FilePath "C:\path\to\cert.pfx" -Password (ConvertTo-SecureString -String "yourPassword" -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\RemoteDesktop

Use this WMIC command to assign the certificate:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

To find your certificate's thumbprint:

# PowerShell
Get-ChildItem -Path Cert:\LocalMachine\RemoteDesktop | Where-Object { $_.Subject -match "your.server.fqdn" } | Select-Object Thumbprint,Subject

Check the active certificate with:

(Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace "root\cimv2\TerminalServices" -Filter "TerminalName='RDP-tcp'").SSLCertificateSHA1Hash

Certificate not showing in RemoteDesktop store: Ensure you've imported to Local Machine context, not Current User.

RDP still using old certificate: Restart the service or server with:

Restart-Service -Name TermService -Force

For multiple servers, create a GPO with this registry setting:

Path: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Value: SSLCertificateSHA1Hash (REG_BINARY)
Data: [certificate thumbprint as binary]
  • Always use FQDN when connecting (not IP)
  • Set certificate expiration alerts
  • Consider disabling weaker cipher suites

When enabling Remote Desktop on Windows Server 2012 R2 through Control Panel > System > Remote Settings, the system automatically generates a self-signed certificate with these characteristics:

Issuer: CN=[ServerName]
Subject: CN=[ServerName]
Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)

This causes certificate warnings in Remote Desktop Connection client because:

  1. The certificate isn't issued by a trusted CA
  2. The subject often doesn't match the FQDN used for connection
  3. The certificate chain cannot be validated

Your existing CA-signed certificate must meet these technical specifications:

  • Subject or SAN must contain the server's FQDN
  • Key Usage must include Digital Signature, Key Encipherment
  • Enhanced Key Usage must include Server Authentication (1.3.6.1.5.5.7.3.1)
  • Private key must be exportable (if installing from another machine)
  • Minimum 2048-bit RSA key length

1. Import the Certificate:

# PowerShell command to import PFX certificate
Import-PfxCertificate -FilePath "C:\path\to\certificate.pfx" 
    -CertStoreLocation Cert:\LocalMachine\My 
    -Password (ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force)

2. Verify Certificate Thumbprint:

# Get certificate thumbprint
Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object { $_.Subject -match "your-server-fqdn" } | 
    Select-Object Thumbprint,Subject

3. Bind Certificate to RDP Service:

# WMIC command to configure RDP certificate
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="YOUR_THUMBPRINT"

4. Restart Remote Desktop Services:

Restart-Service -Name TermService -Force

After implementation, verify with these techniques:

Check Current Binding:

(Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\TerminalServices).SSLCertificateSHA1Hash

Test Remote Connection:

Test-NetConnection -ComputerName your-server-fqdn -Port 3389

View Certificate Details:

$rdpCert = Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object { $_.Thumbprint -eq "YOUR_THUMBPRINT" }
$rdpCert | Format-List *

Certificate Not Showing in RDP Configuration:

  • Ensure certificate is in Local Machine\Personal store
  • Verify private key permissions (run winrm quickconfig if needed)

Connection Still Using Old Certificate:

  1. Clear client-side credential cache: cmdkey /delete:your-server-fqdn
  2. Flush DNS: ipconfig /flushdns
  3. Wait 5 minutes for RDP service to fully reload

For stricter security requirements, modify the registry:

# Set to require TLS 1.2 only
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" 
    -Name "SSLCipherSuite" -Value 0x00000001