How to install self-signed certification on Windows 2012 R2 for RDP?

How to install self-signed certification on Windows 2012 R2 for RDP?

Recently, I have some issue about the RDP security. I try to find out how to use my own certification. Please note that it is not recommend that I use self-signed certification. Because it can make more complex trouble. However, I do not have any certification. So I will use self-signed certification for this post.

1. Pre-requisite

Before I start this post. I need to prepare the self-signed certification. In this post, I will write how to create certification with openssl. In addition, I need to merge and covert from "cert (crt)" to "pfx". In windows, the matched private key is necessary according to certification which I want to insert. 

# create CSR (Certificate Signing Request) file openssl req -new -key crenet-pri.pem -out crenet.csr # create certificate file openssl x509 -req -days 365 -in crenet.csr -signkey crenet-pri.pem -out crenet.crt # create "pfx" file  openssl pkcs12 -export -in crenet.crt -inkey crenet-pri.pem -out crenet.pfx

2. Install certification feature and Import certificate file.

Run "mmc" and open the console. In here, I can install and configure the certification.

There is nothing at first. I need to install the certification. 

I need to follow "File > Add/Remove Snap-ins". 

And choose the what I want to install. In my case, Certificates is chosen. After "Add the Certificate for Snap-in". I can see the menu like below. Select "Computer account".

Select "Local computer"

After finishing the above steps, I can see the "Certificates" category on the left of side. In "Certificates > Personal > All Tasks > Import", I can see my self-signed certificate.

Now, I can start the "Certificate Import Wizard". Click "Next"

There is the form to insert the path for certificate which is the "pfx" file.

Input the optional values if I used the values.

Select the location which the certificate is located in. In this case, "Personal" is used.

Now I can check all of information.

Click Finish. I can check the certification which is located in Personal like below.

Now, I have done to insert my certificate.

3. Check the certification status and activate the certification.

After installation and import process above, I can check the detail of certification which is installed with "double click".  If it is status is good. I can see the comment "You have a private key that corresponds to this certificate".

Now, self-signed certification is imported with correct steps and status. Now, I need to check "Thumbprint" to activate and covert this certification from default. In Details, I can see the "Thumbprint" like below.

This value of "Thumbprint" is necessary. This value is used with command line below. There are two types of command. In my case, I will use "Command mode"

# Command mode  wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"  # Powershell mode $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

In the CMD, I can run like below and I will confirm that "Update is successful".

4. Access the Remote Desktop

 

Now, I will access and I can confirm the certification is changed like below.

 

Basically, RDP is encrypted by TLS. With the steps above. It is more customized.

I can see the TLS handshake by the wireshark packets.

5. (Optional) Enforce the RDP data and connection encryption level.

In this post. there are several steps to make more secure RDP connection. In the middle of contents, "Local Group Policy Editor" are used to enhance the security. Run "gpedit.msc" at first.

In "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security", there are several parameter which I have to change.

1. Set Client Connection Encryption Level (Enable/High Level) 2. Require Secure RPC communication. (Enable) 3. Require Use of Specific Security Layer for Remote (RDP) connections. (Enable/SSL) 4. Require user authentication for remote connections by using Network Level Authentication (Enable)

Reference 

[ 1 ] https://www.geocerts.com/support/how-to-export-import-ssl-certificate-between-windows-servers 

[ 2 ] https://www.youtube.com/watch?v=qDwF0_ax6_w

[ 3 ] http://createnetech.tistory.com/12?category=679927

[ 4 ] https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

[ 5 ] https://www.howtogeek.com/175087/how-to-enable-and-secure-remote-desktop-on-windows/