securing RDP with SSL, are custom certs needed? RRS feed

  • Question


    based on this article the author creates a copy of the "computer" template from an internal PKI. He adds an additional key usage just for RDP authentication.

    I am already issuing "computer" certificates to all domain joined machines (servers and workstations). They are already copies of the original "computer" certificate template. My question is, do I still need to even perform the steps of making an RDP specific certificate template?

    If both client and server already have computer certificates and trust, why would I need a specific RDP certificate template?

    Friday, November 22, 2019 12:24 AM


  • For anyone who comes across this. The answer is no.

    RDP specific certs are not needed.

    Although many guides tell you to add the OID  ( to make things work, if you already have a cert template that uses "server authentication" that's all you need.

    Basic requirements for Remote Desktop certificates:
    The certificate is installed into computer’s “Personal” certificate store.
    The certificate has a corresponding private key.
    The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" ( Certificates with no "Enhanced Key Usage" extension can be used as well.

    • Marked as answer by cyr0nk0r Saturday, November 23, 2019 10:38 PM
    Saturday, November 23, 2019 10:38 PM

All replies