How to Add Extended Key Usage (EKU) to Self-Signed Certificates Using OpenSSL for RDP Authentication


2 views

When generating certificates for Windows Remote Desktop Services, the certificate must include the Server Authentication Extended Key Usage (1.3.6.1.5.5.7.3.1). This EKU tells Windows that the certificate is valid for server authentication purposes.

The basic OpenSSL command for self-signed certificates:

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout myserver.key -out myserver.crt

This doesn't include any extended key usage extensions by default. The -extfile parameter only works with the openssl x509 command when modifying existing certificates, not during initial creation.

Create a configuration file (e.g., server_auth.cnf) with these contents:

[req]
prompt = no
distinguished_name = dn
x509_extensions = ext

[dn]
CN = myserver.example.com
O = My Organization
C = US

[ext]
extendedKeyUsage = serverAuth

Then generate the certificate using:

openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
  -keyout myserver.key -out myserver.crt -config server_auth.cnf

Check the generated certificate contains the EKU:

openssl x509 -in myserver.crt -noout -text | grep -A1 "Extended Key Usage"

Should output something like:

X509v3 Extended Key Usage:
    TLS Web Server Authentication

For more complex requirements, you might need multiple extensions:

[ext]
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:myserver.example.com, DNS:internal.example.com

After generating the certificate:

  • Convert to .pfx format: openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt
  • Import into Windows Certificate Store
  • Assign to Remote Desktop Services

When configuring certificates for Windows Remote Desktop Services, the Server Authentication extended key usage (1.3.6.1.5.7.3.1) becomes mandatory. The standard OpenSSL command-line approach doesn't include this extension by default.

Here's how to properly generate a self-signed certificate with Extended Key Usage (EKU):

# First, create a configuration file (e.g., openssl.cnf)
cat > openssl.cnf <

To verify the extensions were properly applied:

openssl x509 -in myserver.crt -text -noout | grep -A 3 "Extended Key Usage"

You should see output similar to:

X509v3 Extended Key Usage: 
    TLS Web Server Authentication

If you need to add EKU to an existing certificate:

openssl x509 -in original.crt -out modified.crt \
-extfile <(echo "extendedKeyUsage = serverAuth")

1. For Windows Remote Desktop Services, also include the Client Authentication EKU (1.3.6.1.5.5.7.3.2) if needed

2. Modern systems prefer using SAN (Subject Alternative Name) alongside EKU

3. Always verify the certificate chain and extensions before deployment