Automating the RDP SSL certificate

[uHost]

I have written a PowerShell script which should automate installing the RDP SSL certificate from the TSPLus java keystore. Firts it checks the thumbprint of the existing certificate against the one from the TSPlus java keystore and replaces if the thumprints are different. After replacing the certificate the RDP services are restarted.

I have saved the Replace-RDPCertificate-TSPlus.ps1 file in C:\ and created a scheduled task for it running as user SYSTEM, "Run with highest privileges" on and scheduled to run daily at 4 am. At action I have in "Program/Script" PowerShell and in "Add arguments (optional)" C:\Replace-RDPCertificate-TSPlus.ps1

For me my basic tests show it works but I will have to see if this automates the replacement of the certificate when TSPlus will renew the Let's Encrypt certificate.

Please test and let me know.

Replace-RDPCertificate-TSPlus.ps1.zip

(1.88 KiB) Downloaded 1063 times

[adrien]

Hello Yavuz,

Thank you for sharing this nice script!

FYI it is very interesting, because we released a new TSplus version a few days ago which includes just that (except we did not use PowerShell - nice scripting skills on your side!).

Starting with TSPlus 10.30.6.12 if you are using TSplus Free Certificate Manager (which use Let's Encrypt to install an HTTPS certificate on TSPlus Web Portal), then the certificate will automatically be configured for RDP protocol too - and automatically renewed whenever necessary.

[uHost]

Great to hear you have included this functionality in your product, I think that it is an important feature. I will test the new version soon.

[bzdega]

Hello Yavuz,

Thank you for sharing this nice script!

FYI it is very interesting, because we released a new TSplus version a few days ago which includes just that (except we did not use PowerShell - nice scripting skills on your side!).

Starting with TSPlus 10.30.6.12 if you are using TSplus Free Certificate Manager (which use Let's Encrypt to install an HTTPS certificate on TSPlus Web Portal), then the certificate will automatically be configured for RDP protocol too - and automatically renewed whenever necessary.

is this working for generated client? Every time i start the generated client, i get the well known message "the identity of the remote computer cannot be verified. Do you want to connect anyway?".

How can i use the SSL-Certificate which is used for web portal also with the generated client?

regards,
Michael

[admin]

Hello,

SSL is meant for browser use only. The use of RDP certificate is not supported with TSplus.

Open a Control Panel > User Accounts > Manage your credentials and remove the saved credentials of the Tsplus servers, restarting mstsc.exe and checking the "Allow me to save the credentials".

This pop up is normal and should then have no influence on your connection. Simply check the box and click connect.

If your server got updated to Windows 2016, then most likely you inherited the new RDP 10 protocol. As always, Microsoft does not keep a good descending compatibility with lower versions of Windows.

What you can do is lower the authentication method of your server by using a GPO. Open a gpedit.msc on your TSplus server and locate the following GPO :

Computer configuration / Administrative templates / Windows components / Remote Desktop Service / Remote Desktop session host / Security / Set client encryption level

You can also update the RDP protocol on your client computer.