0x00 Background#
When using RDP (Windows Remote Desktop), whether entering an IP address or a domain name, it will prompt "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
On macOS devices, a prompt similar to the one shown below will appear, which has the same meaning as the prompt on Windows, indicating that the computer to be connected to is using an untrusted certificate.
This certificate is a certificate with the computer name as the domain name, which is reasonable to be untrusted. Although it disappears after clicking "Don't ask me again" on Windows, it still appears on the macOS client. Therefore, to completely solve this certificate issue, you can only modify the SSL certificate file used by RDP in the connected computer system.
Before proceeding with the following steps, make sure you have a domain name and the corresponding certificate file.
0x01 Prerequisites#
If you are using a certificate provided by a domestic cloud provider (such as Alibaba Cloud, Tencent Cloud, etc.), you can choose to download the PFX certificate as a backup. The certificate obtained by applying with acme.sh has your.domain.key and your.domain.crt. It should be noted that Windows cannot directly use such certificates, but instead uses the PKCS#12 standard certificate, usually in the style mentioned above, your.domain.pfx.
You can use OpenSSL to convert certificates. Assuming that OpenSSL has been installed and the certificate has been applied for, you can start converting the certificate.
openssl pkcs12 -export -in your.domain.pem -inkey your.domain.key -out your.domain.pfx
After executing the above command, you will be prompted to enter the private key password. Remember this password, as it will be needed when adding the certificate later. After completion, you will find the required your.domain.pfx file in the current working directory.
0x02 Adding the Certificate#
Upload the certificate obtained in the previous step to the Windows computer and double-click to open it. The certificate import wizard will appear.
- Store Location: Local Machine
- File to Import: Simply click Next
- Private Key Protection: Enter the password entered in the previous step here
- Certificate Store: Personal
Click Finish to complete the import. At this point, the pfx certificate file from the previous step has been imported into Windows. However, importing the certificate alone is not enough to use this certificate as the RDP certificate.
Use the shortcut Win+R, enter certlm.msc, and open the local computer certificate manager. In the Personal → Certificates column, you can find the certificate that was just imported. Right-click on this certificate → All Tasks → Manage Private Keys, click Add in the opened dialog box, enter NETWORK SERVICE, and click OK. Give NETWORK SERVICE permission to read.
Click OK to save the permission.
Double-click on this certificate again, click on Details, and find the Thumbprint field in the list. Click on it and copy the corresponding value for later use.
0x03 Configuring the SSL Certificate#
At this point, you need to configure the certificate thumbprint in the registry.
Assuming the fingerprint obtained above is yourprivatefingerprint. Right-click on the Windows menu, run PowerShell as an administrator, and enter
$fingerprint = "yourprivatefingerprint"
$path = (Get-WmiObject -Namespace root\cimv2\TerminalServices -Class Win32_TSGeneralSetting -Filter 'TerminalName="RDP-Tcp"').__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$fingerprint"}
At this point, the certificate for Windows RDP has been configured. If the domain name corresponding to the certificate has been resolved to this Windows computer, there will be no more certificate prompts when remote desktoping again.
This article is synchronized and updated to xLog by Mix Space
The original link is https://blog.allieqian.com/posts/tech/8EandzDrRKcdQn