Many of you were seen a certificate error message when try connecting a remote computer using RDP services. If you see why you got the certificate error? It’s due to an invalid certificate. The certificate could be invalid for two reasons. Either the RDP certificate has expired on the remote computer, or the certificate is not trusted. If the certificate on the remote computer has expired, then you have no choice rather renewing the certificate. But, if your certificate is valid and not trusted, renewal doesn’t help in fixing this RDP certificate error. You should add the certificates of root and intermediate Certificate Authorities to trusted stores on the remote computer. Let’s see how to rectify and fix the RDP certificate error with a detailed procedure to renew the RDP certificate on the remote computer if you have an expired certificate on the computer.
Table of Contents
What Is The Reason Behind The RDP Certificate Error?
You will see a certificate error warning because the certificate on the remote computer becomes invalid. There are two primary reasons to see the error. Let’s explain the two reasons and solutions to fix the RDP certificate error.
#1. RDP Certificate Expired:
Each certificate has a validity period and is issued with an issue and expiry date. The certificate will be considered invalid when it has crossed its expiry date. You may face connection issues if you have encountered the expired certificate problem as the expired certificate will fail to authenticate. You can fix this issue only by renewing the RDP certificate on the remote computer. Let’s see a detailed step-by-step procedure to renew the RDP certificate on the remote computer in a later section in this post.
#2. RDP Certificate Is Not Trusted:
The certificate is considered invalid even if the Certificate Authority of the certificate is not trusted. Anyway’s it’s not mandatory to fix this RDP certificate error to connect the remote computer. You can ignore this if you are not worried about the secured connection. But, it’s not recommended to ignore it, especially when you are working for a business. Because if you ignore it, you are prone to cyberattacks. This issue can be fixed by importing the certificates of root and intermediate Certificate Authorities into the root and intermediate trusted stores on the remote computer. Please visit “How to Download and Import Trusted Root CA Certificates from Internal Certificate Authority Server?” to see how to import the certificates of root and intermediate/subordinate Certificates Authorities.
How To Rectify The Problem Behind The RDP Certificate Error?
All right, now you know the cause of the RDP certificate error. The next thing is how you can identify the actual cause to fix the RDP certificate error. Well, it’s easy. You just have to verify certain things on the RDP certificate of the remote computer to figure out the actual cause of the error message. Click on the ‘view certificate’ button on the certificate error warning window to view the certificate. Or you can view the certificate in the personal store of the computer by login into it.
#1. How To Check The Certificate Is Valid?
All PKI certificates will have some information, including issuer name, issued, and expiry dates. You can see the expiry date to check the certificate has expired.
#2. How To Verify The Certificate Is Not Trusted?
You can verify the certificate authority of the certificate is trusted in multiple ways.
- If you see the message “The certificate is not from a trusted certifying authority” in the Certificate error section on the RDP certificate error waning, that means the certificate authority is not trusted.
- You can also see the message in the Certificate path like here:
- Try to find the root and intermediate certificates in the respective store. If you cannot see the certificates in the stores, the Certificate Authorities are considered not trusted.
How To Renew The RDP Certificate On Windows Servers?
In this section we are going to cover how to renew the RDP Certificate on any Windows server. We have divided this section into four major subsections which would gives you a better understanding of complete certificate renewal process.
- Create a CSR for the RDP certificate.
- Submit the CSR to the internal CA server and download certificate after issued.
- Import the certificate to the remote server’s personal store.
- Bind the RDP certificate to the RDP services.
Time needed: 10 minutes.
How to renew the RDP Certificate on Windows servers?
- Create a CSR:
https://thesecmaster.com/step-by-step-procedure-to-create-a-custom-csr-on-a-windows-server/
- Submit the CSR and Download the certificate:
https://thesecmaster.com/how-to-request-a-certificate-from-windows-adcs/
- Import the certificate:
https://thesecmaster.com/step-by-step-procedure-to-convert-a-cer-certificate-to-pfx-without-the-private-key/
- Bind the RDP certificate:
Use this command to bind the certificate:
wmic /namespace://root/cimv2/TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=””
Supply thumbprint of the certificate to the SSLCertificateSHA1Hash.
#1. Create A CSR:
Certificate Signing Request is the first step to get a new certificate. Please login to the remote server and follow the steps to create a CSR on the remote server.
#2. Submit The CSR And Download The Certificate After Issued:
Submit the CSR generated to the internal CA and download the certificate from the CA portal after issued. Refer the article “How to request a certificate from Windows ADCS?” to submit the CSR and download the certificate from the internal CA portal.
#3. Import The Certificate:
After you download the certificate, you should import the certificate to the personal store. You can see how to import the certificate here.
#4. Bind The RDP Certificate To The RDP Services:
Importing the certificate is not enough to make it work. You should bind the new certificate to the RDP services. Use this command to bind the certificate:
wmic /namespace://root/cimv2/TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=””
Supply thumbprint of the certificate to the SSLCertificateSHA1Hash.
Examples:
wmic /namespace://root/cimv2/TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”7fe74076c8a1f8e5b99fc049540977243751bf51″
The bind process will get completed with the message “update successful”. This is how you should renew the RDP Certificate on the remote server.
Thanks for reading the post. Please share this with people who are struggling to fix the RDP certificate error.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/269996.html