none
securing RDP with SSL, are custom certs needed? RRS feed

  • Question

  • https://www.derekseaman.com/2018/12/trusted-remote-desktop-services-ssl-certs-for-win10-2019.html

    based on this article the author creates a copy of the "computer" template from an internal PKI. He adds an additional key usage just for RDP authentication.

    I am already issuing "computer" certificates to all domain joined machines (servers and workstations). They are already copies of the original "computer" certificate template. My question is, do I still need to even perform the steps of making an RDP specific certificate template?

    If both client and server already have computer certificates and trust, why would I need a specific RDP certificate template?

    Friday, November 22, 2019 12:24 AM

Answers

  • For anyone who comes across this. The answer is no.

    RDP specific certs are not needed.

    Although many guides tell you to add the OID  (1.3.6.1.4.1.311.54.1.2) to make things work, if you already have a cert template that uses "server authentication" that's all you need.

    https://blogs.technet.microsoft.com/supportingwindows/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services/

    Basic requirements for Remote Desktop certificates:
    
    The certificate is installed into computer’s “Personal” certificate store.
    The certificate has a corresponding private key.
    The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well.


    • Marked as answer by cyr0nk0r Saturday, November 23, 2019 10:38 PM
    Saturday, November 23, 2019 10:38 PM

All replies