Generate an SSL Certificate for Windows Remote Desktop Service

Generate an SSL Certificate for Windows Remote Desktop Service

Windows supports SSL-encrypted remote desktop services from 2000. You only need to specify a certificate in the remote desktop service settings, the SSL option will appear in the encryption method set by RDP (the self-authenticated certificate for remote desktop service is built in by default from Windows Server 2008 ). The problem is that the Windows certificate management method is very different from that in Linux. All certificates are centrally managed by the OS in a container similar to a database, services or applications that require certificates are obtained from the container Through WMI. Because the standard Window certificate has a specified OID, the matching will appear in the certificate directory of the service or application.

The official Microsoft documentation mentions how to generate standard Windows certificates, but all rely on Domain. What I want is a tool that can generate self-authenticated certificates directly using command lines like OpenSSL. For the convenience of testing applications, Microsoft provides a number of gadgets, including a makecert command line tool, allowing developers to create self-authenticated certificates for testing through the command line.

The syntax of Makecert is not complex, and the Manual is clear and clear, but some parameters with Microsoft characteristics should be noted.

Example 1:

makecert -r -pe -n "CN=digglife.net" -e 01/01/2040 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a SHA1 -len 2048

After using this command to generate a certificate, we can find it under the "personal" certificate on the Certificate Management Console.

Record some parameters related to generating the SSL Certificate of the Remote Desktop service. For more information, see the MSDN documentation.

-R: generate a self-authenticated certificate.

-Pe: the private key can be exported (the private key is included in the certificate ).

-N: Certificate Name (CN =, OU =, O = blahblah ).

-E: Certificate expiration date.

-Eku: OID name. 1.3.6.1.5.5.7.3.1 is the "Server Authentication" OID

-Ss: Certificate storage name. My represents Personal.

-Sr: The storage location of the certificate. LocalMachine or CurrentUser.

-Sky: Key type.

-Sp: the name of the encrypted API.

-Sy: the type of the encrypted API.

-A: encryption algorithm.

-Len: key length.

Originally, makecert.exe was integrated into the. Net Framework development package. However, it is very difficult to download a huge SDK for such a small tool, so I put it here.

Makecert.exe download: http://www.2cto.com/uploadfile/2014/0808/20140808112724356.zip