Use OpenSSL to create a self-signed certificate for windowsserver Remote Desktop (RDP) (self-signed SSL certificate)

Source: Internet
Author: User
Tags creative commons attribution openssl ocsp ssl certificate windows remote desktop startssl


I read a lot of information, only to write this article, if there are errors, please put forward the reader in time.
In general, when you use Remote Desktop to connect to Windows Server, there is always a warning prompt, 1

Figure 1
This warning occurs because the certificate is a self-signed certificate for the server and our client is not recognized, so I think about how to use the certificate to secure the use of Remote Desktop (RDP).

    1. Using WindowsServer's "AD Certificate Service" to generate the entire PKI, which has a complete set of certificate system, naturally all the relevant certification problems solved. The disadvantage is that the operation is very complex and the advantages are safety, business level!
    2. Use OpenSSL to build your own certificate, than the way one will save a lot of steps, the use of simple, suitable for development testing, the disadvantage is that the level of security can not be used for the height of the business (in fact, the operator is familiar with PKI, X509, can also make a standard certificate)
About OpenCA:

OpenCA is an open source project for building a private PKI. The author Caishuxueqian, has not studied this, hoped that has the relatively clear reader to inform how to apply to the Remote Desktop server authentication. ^-^

    1. The client needs to check the certificate revocation status when connecting to the server Remote Desktop. There are two ways to check certificate revocation status: CRL and OSCP
      1.1 OCSP
      By default, the certificate path validation settings use OCSP, but because we are self-signed certificates, the Windows check always prompts "Invalid signer eku"/"Invalid signer Eku", so we cannot use this method to verify certificate revocation status.
      1.2 CRL
      When OCSP does not meet our needs, we can only use CRLs to verify certificate revocation status, so we also need to use a site to provide CRLs
    2. Flexible to use in OpenSSL x509v3_config . At present, many articles do not talk about how to add in the certificate, CRL分发点 授权信息访问 such as extended information, the reason is not understand the application of x509z Certificate extension, of course, there are many articles in the mention, but not clearly specified, will let the reader confused. 强烈推荐使用OpenSSL的读者阅读x509v3_config-x509 V3 Certificate Extension configuration format

recognises, the actual combat now!


I am using Ubuntu, so there may be different operating system OpenSSL configuration file path is not the same situation, please readers themselves according to their own situation to find the default configuration file.
Do not use too old OpenSSL, beware of loopholes.

Prepare the Environment
mkdir openssl.Testcd openssl.Testmkdir -p ./demoCA/{private,newcerts} touch demoCA/index.txt touch demoCA/serialtouch demoCA/crlnumberecho 01 > demoCA/serialecho 01 > demoCA/crlnumbercp /etc/ssl/openssl.cnf .
Self-built CA

When prompted to enter information, please remember the input, the following article is useful.

    1. Setting the private key
openssl genrsa -des3 -out ./demoCA/private/cakey.pem 2048
    1. Request a self-signed certificate
openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem

Open the openssl.cnf we copied before.


default_crl_days= 365

Make sure the following 2 lines exist under REQ (default first row is yes, line 2nd is commented)

[ req ]distinguished_name = req_distinguished_namereq_extensions = v3_req

Examples of V3_REQ nodes are as follows:

[ v3_req ]# 在证书请求中添加扩展# 作为最终证书,不能用此证书作为中间证书 具体表现为在查看证书中"基本约束"为 Subject Type=End EntitybasicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEncipherment# 暂且理解用来扩展域名吧,DNS.1建议写服务器域名,否则在做HTTPS网站时就呵呵了(题外话), SANs是超级有用的!subjectAltName = @alt_names# 指定CRL地址的 必需crlDistributionPoints = @crl_section# CPS 说明,具体表现在查看证书"免责说明"中certificatePolicies = @polsect[ alt_names ]DNS.1 = test.comDNS.2 = a.test.comDNS.3 =[crl_section]URI.0 =[polsect]policyIdentifier =""[email protected][notice]explicitText="Prower By Low-grade Coder"
Generate a server certificate
    1. Setting the private key
openssl genrsa -out userkey.pem 2048
    1. Create a certificate request
      countryName, stateOrProvinceName the organizationName default requirements and the construction of the CA to fill in the same, if you want to modify the rules can be modified in the openssl.cnf [ CA_default ] ,
# Common Name 写域名或IPopenssl req -new -days 365 -key userkey.pem -out userreq.pem
    1. Issued
openssl ca -in userreq.pem -out usercert.pem -extensions v3_req -config openssl.cnf
    1. Making PFX
openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out user.pfx
Revoking a certificate

Well, we don't have to revoke the certificate, temporarily ignoring

openssl ca -revoke usercert.pem -cert ./demoCA/cacert.pem -keyfile ./demoCA/private/cakey.pem
Generate Revocation List
openssl ca -gencrl -out rootca.crl -cert ./demoCA/cacert.pem -keyfile ./demoCA/private/cakey.pem --config openssl.cnf

Then rootca.crl deploy to the site so that clients can access the address in the configuration file using the HTTP/HTTPS protocol [crl_section] .

Get ready to do this!

WindowsServer Importing Root Certificates
    1. cacert.pemRename to cacert.crt , copy to the server, click Install to, at this point 本地计算机 , the root certificate installation is complete
Import server Certificate
    1. Import user.pfx , 本地计算机 and 当前用户 both need to be imported into the 个人 directory.
      PS: Using "Automatically select certificate store according to certificate type" is OK, the directory will be selected by default 个人
Setting up a Remote Desktop certificate

Using the command to certmgr.msc Open Certificate Manager, expand, 个人 证书 Double-click the certificate that we just imported, select 详细信息 , locate 指纹 , copy its contents to Notepad (or command line), remove 空格 , spare.
PS: That string of hexadecimal front space is super hidden.

Using commands

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set  SSLCertificateSHA1Hash="刚处理的指纹"

The successful words of the update appear, such as failure, please check the details carefully.

Modify Group Policy

Again, the certificate default revocation query uses OCSP, but the author has not yet been transferred, only by modifying Group Policy to force the CRL, but this will have a series of drawbacks (of course, can be avoided), if there are readers can use OCSP to verify the certificate revocation status, this step can be avoided! Then please contact the author! Thank you.

启动组策略 gpedit.msc[计算机配置]->[安全设置]->[公钥策略]打开[证书路径验证设置]选择[吊销]选项卡勾选[定义这些策略设置]、[始终首选证书吊销列表(CRL)而非联机证书状态协议(OCSP)响应(不推荐)(P)]

应用重启机器. At this point, the server-side configuration is complete.

Windows Import root Certificate
    1. cacert.pemRename to cacert.crt , copy to the server, click Install to, at this point 本地计算机 , the root certificate installation is complete
^.^ It's time to end this torture little thing.

Open Remote Desktop mstsc , verify results, 2

Figure 2


There must be a reader who asks, wouldn't it be a hassle to use a self-signed certificate to connect to a remote desktop and require a client to install a CA?
For this problem, the general use of this method for developing test learning, such as do not want to configure WindowsServer Certificate Server or OpenCA, etc., you can directly use the online service provider's certificate, simply omit the relevant self-built certificate in this article, you can apply. Reference Configure your Windows Remote Desktop (RDP) to the use of TLS with a STARTSSL certificate

Progress on the research of OCSP author

First modify the configuration file




Authorityinfoaccess = @ocsp_section

Caissuers; uri.0 = Http://
OCSP; uri.0 =


其次创建个OCSP服务端 (OCSP Responser)

OpenSSL ocsp-index./democa/index.txt-ca./democa/cacert.pem-rsigner Usercert.pem-rkey userkey.pem-port 8000-text

接着再开一个终端,验证下证书OCSP Client

OpenSSL ocsp-issuer./democa/cacert.pem-url 01-vafile Usercert.pem


Response Verify OK
This Update:aug 4 09:20:46 2018 GMT


Certutil-url C:\USERS...\CACERT.CRT
选择检索方式为OCSP,点击检索The result of "Invalid signer Eku"/"Invalid signer Eku" appears in the end.
I guess after all our self-signed certificate, the server can not verify our identity it.


[SOLVED] Rdp-a revocation check could not being performed for the Certificate-microsoft Remote Desktop services-spiceworks
Robiii:configure your Windows Remote Desktop (RDP) to the use of TLS with a STARTSSL certificate
Rds:rd Gateway must is configured to use an SSL certificate signed by a trusted certification authority | Microsoft Docs
Implementing an OCSP Responder:part i–introducing OCSP | Ask the Directory Services Team
Openssl:how to setup a OCSP server for checking third-party certificates? -Server Fault
Windows Server R2 Remote Desktop security certificate Warning-zlyux-51cto Blog
How to make a certificate with the OpenSSL tool and its considerations summary-CSDN Blog
How to create and administer-Certificate chains, part I
Ssl-openssl CA keyusage Extension-super User


This article uses the Creative Commons Attribution-Non-commercial use-share 2.5 Chinese mainland License Agreement license in the same way, publishes in CSDN and the blog Garden, welcome the reader to reprint, but does not have the author consent must retain this paragraph statement, and in the article page obvious location gives the original text connection! Please respect the reader/crawler版权

Use OpenSSL to create a self-signed certificate for windowsserver Remote Desktop (RDP) (self-signed SSL certificate)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.