Using a certificate generated from a self-signed root certificate to sign rdp files
I am running Remote Desktop Services on Windows Server 2008 R2.
On the Digital Signature tab in the RemoteApp Manager, one can select a digital certificate with which to sign .rdp files. I can successfully select a Verisign code signing certificate from here and use it to sign an .rdp file. However, I want to be able to use a code signing certificate that was generated from a self-signed root certificate, but the certificate does not show up in the list of certificates that appears when I click the Change button.
What criteria must the certificate (that is, the code signing certificate generated from a self-signed root certificate) meet to be able to sign .rdp files with it? If I cannot sign the .rdp file via the from the RemoteApp manager, is there a way that I can do this manually?
More information:
- The self-signed root certificate was installed in the LocalMachine "Trusted Root Certification Authorities" store.
- The code signing certificate (that was generated from the self-signed root certificate) was installed in the LocalMachine Personal store. When that did not work, I removed it from the LocalMachine Personal store and installed it in the CurrentUser Personal store. In both cases, the authenticode signing certificate did not show up in the list of certificates.
Answers
Hi,
To sign .rdp file, you must install a certificate that meets the following requirements on the remote desktop session host:
· The Enhanced Key Usage extension includes the Code Signing (1.3.6.1.5.5.7.3.3) or Server Authentication (1.3.6.1.5.5.7.3.1) object identifier.
· The certificate was issued by a CA that the computer trusts.
Thanks.
Joson Zhou
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byMatthew Theobald Friday, October 30, 2009 7:30 PM
All Replies
Hi,
To sign .rdp file, you must install a certificate that meets the following requirements on the remote desktop session host:
· The Enhanced Key Usage extension includes the Code Signing (1.3.6.1.5.5.7.3.3) or Server Authentication (1.3.6.1.5.5.7.3.1) object identifier.
· The certificate was issued by a CA that the computer trusts.
Thanks.
Joson Zhou
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byMatthew Theobald Friday, October 30, 2009 7:30 PM
- Our code signing certificate does not have the Enhanced Key Usage extension; I will add the extension to our certificate.
How is it determined that the "certificate was issued by a CA that the computer trusts"? Is it simply that the self-signed root certificate is installed in the "Trusted Root Certification Authorities" store?
Regards,
Matthew Hi,
Yes, you just need to ensure that the root CA certificate is in the "Trusted Root Certification Authorities" store on the computer.
Thanks.
Joson Zhou
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.
