1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Using CA signed certificate for Vista Remote Desktop

Discussion in 'Windows Home Server' started by Matt, Oct 12, 2009.

  1. Matt

    Matt Guest

    I've just learned about StartSSL and though I'd try to get a TLS
    certificate that I can use to authenticate and set up encryption on my
    Vista Business Remote Desktop Server. I see that it automatically
    generates a self-signed certificate. I've tried to generate a
    certificate and private key with StartSSL, but I can't find an option
    to make Vista use them. (Right now I have the public certificate
    imported, but don't see an option to import the private key as well).
    I'd also appreciate if someone could point me to some documentation on
    how to do this with Server 2003 as well.
     
    Matt, Oct 12, 2009
    #1
  3. Silvia Doomra [MSFT]

    Silvia Doomra [MSFT] Guest

    This is the reply I got from one of my colleague:
    Hmm.. "Vista Business Remote Desktop Server" is it a server or client SKU?
    Also, I don't know what StartSSL is, some tool for creating certificates?

    In general to be suitable for use with Remote Desktop the a certificate
    should have the following characteristics:
    1. It needs to be installed, along with its private key, into the local
    computer's (not user's) "Personal" (My) certificate store.
    2. The EKU must be either "Server Authentication" or
    "1.3.6.1.4.1.311.54.1.2" (a special TS EKU).
    3. It should not be expired (obviously).

    On server SKUs you can use tsconfig.msc to select the certificate. Note:
    tsconfig will only allow you to select usable certificates (see criteria
    above).
    On client SKUs you can put the thumbprint of the certificate directly into
    the registry as a "SSLCertificateSHA1Hash" binary value:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
    Server\WinStations\RDP-Tcp]
    "SSLCertificateSHA1Hash"=hex:65,53,29,d2,56,fb,f0,2a,d6,75,d9,08,61,2d,72,36,9c,26,5c,71
    (the value is just an example).

    To be able to import a certificate's private key, it must be exported
    together with its private key.
    And, as far as I know, you can only export private key of a certificate
    created with an exportable private key in the first place.

    Thx,
    Sergey.


    "Matt" <ssj4android@gmail.com> wrote in message
    news:26971083-2dda-475e-8bcb-604ffc393100@m38g2000yqd.googlegroups.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
    > I've just learned about StartSSL and though I'd try to get a TLS
    > certificate that I can use to authenticate and set up encryption on my
    > Vista Business Remote Desktop Server. I see that it automatically
    > generates a self-signed certificate. I've tried to generate a
    > certificate and private key with StartSSL, but I can't find an option
    > to make Vista use them. (Right now I have the public certificate
    > imported, but don't see an option to import the private key as well).
    > I'd also appreciate if someone could point me to some documentation on
    > how to do this with Server 2003 as well. <!--colorc--><!--/colorc-->
     
    Silvia Doomra [MSFT], Oct 23, 2009
    #2

Share This Page