Table of Contents
December 4, 2023
|8m
Step By Step Procedure To Fix The RDP Certificate Error On Windows Servers:
InfoSec |
Many of you were seen a certificate error message when you try to connect a remote computer using RDP services. If you see why you got the certificate error? It’s due to an invalid certificate. The certificate could be invalid for two reasons. Either the RDP certificate has expired on the remote computer, or the certificate is not trusted. If the certificate on the remote computer has expired, then you have no choice rather renew the certificate. But, if your certificate is valid and not trusted, renewal doesn’t help in fixing this RDP certificate error. You should add the certificates of root and intermediate Certificate Authorities to trusted stores on the remote computer. Let’s see how to rectify and fix the RDP certificate error with a detailed procedure to renew the RDP certificate on the remote computer if you have an expired certificate on the computer.
What Is The Reason Behind The RDP Certificate Error?
You will see a certificate error warning because the certificate on the remote computer becomes invalid. There are two primary reasons to see the error. Let’s explain the two reasons and solutions to fix the RDP certificate error.
#1. RDP Certificate Expired:
Each certificate has a validity period and is issued with an issue and expiry date. The certificate will be considered invalid when it has crossed its expiry date. You may face connection issues if you have encountered the expired certificate problem as the expired certificate will fail to authenticate. You can fix this issue only by renewing the RDP certificate on the remote computer. Let’s see a detailed step-by-step procedure to renew the RDP certificate on the remote computer in a later section in this post.
#2. RDP Certificate Is Not Trusted:
The certificate is considered invalid even if the Certificate Authority of the certificate is not trusted. Anyway’s it’s not mandatory to fix this RDP certificate error to connect the remote computer. You can ignore this if you are not worried about the secured connection. But, it’s not recommended to ignore it, especially when you are working for a business. Because if you ignore it, you are prone to cyberattacks. This issue can be fixed by importing the certificates of root and intermediate Certificate Authorities into the root and intermediate trusted stores on the remote computer. Please visit “How to Download and Import Trusted Root CA Certificates from Internal Certificate Authority Server?” to see how to import the certificates of root and intermediate/subordinate Certificates Authorities.
How To Rectify The Problem Behind The RDP Certificate Error?
All right, now you know the cause of the RDP certificate error. The next thing is how you can identify the actual cause to fix the RDP certificate error. Well, it’s easy. You just have to verify certain things on the RDP certificate of the remote computer to figure out the actual cause of the error message. Click on the ‘view certificate’ button on the certificate error warning window to view the certificate. Or you can view the certificate in the personal store of the computer by login into it.
#1. How To Check The Certificate Is Valid?
All PKI certificates will have some information, including issuer name, issued, and expiry dates. You can see the expiry date to check the certificate has expired.
#2. How To Verify The Certificate Is Not Trusted?
You can verify the certificate authority of the certificate is trusted in multiple ways.
If you see the message “The certificate is not from a trusted certifying authority” in the Certificate error section on the RDP certificate error warning, that means the certificate authority is not trusted.
You can also see the message in the Certificate path here:
Try to find the root and intermediate certificates in the respective store. If you cannot see the certificates in the stores, the Certificate Authorities are considered not trusted.
How To Renew The RDP Certificate On Windows Servers?
In this section we are going to cover how to renew the RDP Certificate on any Windows server. We have divided this section into four major subsections, which would give you a better understanding of complete certificate renewal process.
Create a CSR for the RDP certificate.
Submit the CSR to the internal CA server and download the certificate after issued.
Import the certificate to the remote server’s personal store.
Bind the RDP certificate to the RDP services.
Step 1. Create a CSR:
http://thesecmaster.com/step-by-step-procedure-to-create-a-custom-csr-on-a-windows-server/
Step 2. Submit the CSR and Download the certificate:
http://thesecmaster.com/how-to-request-a-certificate-from-windows-adcs/
Step 3. Import the certificate:
Step 4. Bind the RDP certificate:
Use this command to bind the certificate:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=””
Supply a thumbprint of the certificate to the SSLCertificateSHA1Hash.
#Step 1. Create A CSR:
Certificate Signing Request is the first step to get a new certificate. Please login to the remote server and follow the steps to create a CSR on the remote server.
#Step 2. Submit The CSR And Download The Certificate After Issued:
Submit the CSR generated to the internal CA and download the certificate from the CA portal after issued. Refer to the article “How to request a certificate from Windows ADCS?” to submit the CSR and download the certificate from the internal CA portal.
#Step 3. Import The Certificate:
After you download the certificate, you should import the certificate to the personal store. You can see how to import the certificate here.
#Step 4 Bind The RDP Certificate To The RDP Services:
Importing the certificate is not enough to make it work. You should bind the new certificate to the RDP services. Use this command to bind the certificate:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=””
Supply a thumbprint of the certificate to the SSLCertificateSHA1Hash.
Examples:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”7fe74076c8a1f8e5b99fc049540977243751bf51″
The binding process will be completed with the message “update successful”. This is how you should renew the RDP Certificate on the remote server.
Thanks for reading the post. Please share this with people who are struggling to fix the RDP certificate error.
Additional Considerations for Securing RDP Connections
To ensure secure RDP connections to your Windows servers, follow these best practices recommended by Microsoft:
Use Network Level Authentication (NLA) which provides an additional layer of authentication before the RDP connection is established. NLA requires the user to authenticate to the RD Gateway or RD Web Access server using credentials before the RDP connection can be established with the remote desktop server. This prevents man-in-the-middle attacks.
Deploy an RD Gateway server for external RDP connections. The RD Gateway provides centralized authentication and authorization for remote users connecting externally, enabling restricted access and policies for external connectivity.
Restrict source IP addresses that can establish RDP connections using firewall rules or IP allow lists on the RD Gateway server. Avoid exposing RDP ports directly to the internet.
Use a robust authentication method like smart cards or multi-factor authentication rather than passwords alone. This enhances security and makes brute-force credential attacks more difficult.
For external connections, use a public SSL certificate from a trusted certificate authority on the RD Gateway server to avoid certificate trust warnings. For internal connections, use an enterprise CA-issued certificate.
Ensure the CN or SAN names on the server authentication certificates match the RDP server’s DNS name to prevent certificate name mismatch errors.
Regularly check the RDP login logs and failed login attempts to detect brute force attacks in a timely manner. Enable auditing and logging on RD servers.
Use accounts with the least privilege rights rather than granting domain admin rights for RDP access. Avoid enabling RDP for privileged admin accounts.
Use a non-standard custom port like 443 or 32111 instead of the default RDP port 3389 to make port scanning more difficult.
Enable encryption settings like TLS 1.2 and NLA to encrypt RDP communications and prevent snooping of data in transit.
Keep RDP servers patched and updated to ensure protection against security vulnerabilities like BlueKeep. Disable unused services and protocols.
Limit idle session timeout period and force disconnections when idle for improved security. Quickly remove old user profiles.
Following Microsoft’s recommended practices and hardening your RDP deployment design can help reduce the attack surface and improve the overall security of remote desktop access to your organization.
We hope this guide helps you understand everything about how to fix the RDP certificate error on Windows computers. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
