Objective
I read a lot of information, only to write this article, if there are errors, please put forward the reader in time.
In general, when you use Remote Desktop to connect to Windows Server, there is always a warning prompt, 1
Figure 1
This warning occurs because the certificate is a self-signed certificate for the server and our client is not recognized, so I think about how to use the certificate to secure the use of Remote Desktop (RDP).
Workaround:
- Using WindowsServer's "AD Certificate Service" to generate the entire PKI, which has a complete set of certificate system, naturally all the relevant certification problems solved. The disadvantage is that the operation is very complex and the advantages are safety, business level!
- Use OpenSSL to build your own certificate, than the way one will save a lot of steps, the use of simple, suitable for development testing, the disadvantage is that the level of security can not be used for the height of the business (in fact, the operator is familiar with PKI, X509, can also make a standard certificate)
About OpenCA:
OpenCA is an open source project for building a private PKI. The author Caishuxueqian, has not studied this, hoped that has the relatively clear reader to inform how to apply to the Remote Desktop server authentication. ^-^
Difficulties:
- The client needs to check the certificate revocation status when connecting to the server Remote Desktop. There are two ways to check certificate revocation status: CRL and OSCP
1.1 OCSP
By default, the certificate path validation settings use OCSP, but because we are self-signed certificates, the Windows check always prompts "Invalid signer eku"/"Invalid signer Eku", so we cannot use this method to verify certificate revocation status.
1.2 CRL
When OCSP does not meet our needs, we can only use CRLs to verify certificate revocation status, so we also need to use a site to provide CRLs
- Flexible to use in OpenSSL
x509v3_config
. At present, many articles do not talk about how to add in the certificate, CRL分发点
授权信息访问
such as extended information, the reason is not understand the application of x509z Certificate extension, of course, there are many articles in the mention, but not clearly specified, will let the reader confused. 强烈推荐使用OpenSSL的读者阅读
x509v3_config-x509 V3 Certificate Extension configuration format
recognises, the actual combat now!
Openssl
I am using Ubuntu, so there may be different operating system OpenSSL configuration file path is not the same situation, please readers themselves according to their own situation to find the default configuration file.
Do not use too old OpenSSL, beware of loopholes.
Prepare the Environment
mkdir openssl.Testcd openssl.Testmkdir -p ./demoCA/{private,newcerts} touch demoCA/index.txt touch demoCA/serialtouch demoCA/crlnumberecho 01 > demoCA/serialecho 01 > demoCA/crlnumbercp /etc/ssl/openssl.cnf .
Self-built CA
When prompted to enter information, please remember the input, the following article is useful.
- Setting the private key
openssl genrsa -des3 -out ./demoCA/private/cakey.pem 2048
- Request a self-signed certificate
openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem
Adjust OPENSSL.CNF
Open the openssl.cnf we copied before.
[Ca_default]
default_crl_days= 365
Make sure the following 2 lines exist under REQ (default first row is yes, line 2nd is commented)
[ req ]distinguished_name = req_distinguished_namereq_extensions = v3_req
Examples of V3_REQ nodes are as follows:
[ v3_req ]# 在证书请求中添加扩展# 作为最终证书,不能用此证书作为中间证书 具体表现为在查看证书中"基本约束"为 Subject Type=End EntitybasicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEncipherment# 暂且理解用来扩展域名吧,DNS.1建议写服务器域名,否则在做HTTPS网站时就呵呵了(题外话), SANs是超级有用的!subjectAltName = @alt_names# 指定CRL地址的 必需crlDistributionPoints = @crl_section# CPS 说明,具体表现在查看证书"免责说明"中certificatePolicies = @polsect[ alt_names ]DNS.1 = test.comDNS.2 = a.test.comDNS.3 = b.test.com[crl_section]URI.0 = http://example.com/rootca.crl[polsect]policyIdentifier = 2.5.29.32.0CPS.1="http://example.com/"[email protected][notice]explicitText="Prower By Low-grade Coder"
Generate a server certificate
- Setting the private key
openssl genrsa -out userkey.pem 2048
- Create a certificate request
countryName
, stateOrProvinceName
the organizationName
default requirements and the construction of the CA to fill in the same, if you want to modify the rules can be modified in the openssl.cnf
[ CA_default ]
,
# Common Name 写域名或IPopenssl req -new -days 365 -key userkey.pem -out userreq.pem
- Issued
openssl ca -in userreq.pem -out usercert.pem -extensions v3_req -config openssl.cnf
- Making PFX
openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out user.pfx
Revoking a certificate
Well, we don't have to revoke the certificate, temporarily ignoring
openssl ca -revoke usercert.pem -cert ./demoCA/cacert.pem -keyfile ./demoCA/private/cakey.pem
Generate Revocation List
openssl ca -gencrl -out rootca.crl -cert ./demoCA/cacert.pem -keyfile ./demoCA/private/cakey.pem --config openssl.cnf
Then rootca.crl
deploy to the site so that clients can access the address in the configuration file using the HTTP/HTTPS protocol [crl_section]
.
Get ready to do this!
WindowsServer Importing Root Certificates
cacert.pem
Rename to cacert.crt
, copy to the server, click Install to, at this point 本地计算机
, the root certificate installation is complete
Import server Certificate
- Import
user.pfx
, 本地计算机
and 当前用户
both need to be imported into the 个人
directory.
PS: Using "Automatically select certificate store according to certificate type" is OK, the directory will be selected by default 个人
Setting up a Remote Desktop certificate
Using the command to certmgr.msc
Open Certificate Manager, expand, 个人
证书
Double-click the certificate that we just imported, select 详细信息
, locate 指纹
, copy its contents to Notepad (or command line), remove 空格
, spare.
PS: That string of hexadecimal front space is super hidden.
Using commands
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="刚处理的指纹"
The successful words of the update appear, such as failure, please check the details carefully.
Modify Group Policy
Again, the certificate default revocation query uses OCSP, but the author has not yet been transferred, only by modifying Group Policy to force the CRL, but this will have a series of drawbacks (of course, can be avoided), if there are readers can use OCSP to verify the certificate revocation status, this step can be avoided! Then please contact the author! Thank you.
启动组策略 gpedit.msc[计算机配置]->[安全设置]->[公钥策略]打开[证书路径验证设置]选择[吊销]选项卡勾选[定义这些策略设置]、[始终首选证书吊销列表(CRL)而非联机证书状态协议(OCSP)响应(不推荐)(P)]
应用
重启机器
. At this point, the server-side configuration is complete.
Windows Import root Certificate
cacert.pem
Rename to cacert.crt
, copy to the server, click Install to, at this point 本地计算机
, the root certificate installation is complete
^.^ It's time to end this torture little thing.
Open Remote Desktop mstsc
, verify results, 2
Figure 2
Extended
There must be a reader who asks, wouldn't it be a hassle to use a self-signed certificate to connect to a remote desktop and require a client to install a CA?
For this problem, the general use of this method for developing test learning, such as do not want to configure WindowsServer Certificate Server or OpenCA, etc., you can directly use the online service provider's certificate, simply omit the relevant self-built certificate in this article, you can apply. Reference Configure your Windows Remote Desktop (RDP) to the use of TLS with a STARTSSL certificate
Progress on the research of OCSP author
First modify the configuration file
参考:[那些证书相关的玩意儿(SSL,X.509,PEM,DER,CRT,CER,KEY,CSR,P12等)](https://www.cnblogs.com/guogangj/p/4118605.html)
[V3_req]
.....
Authorityinfoaccess = @ocsp_section
[Ocsp_section]
Caissuers; uri.0 = Http://example.com/cacert.crt
OCSP; uri.0 = http://example.com/
......
其次创建个OCSP服务端 (OCSP Responser)
OpenSSL ocsp-index./democa/index.txt-ca./democa/cacert.pem-rsigner Usercert.pem-rkey userkey.pem-port 8000-text
接着再开一个终端,验证下证书OCSP Client
OpenSSL ocsp-issuer./democa/cacert.pem-url http://example.com:8000-serial 01-vafile Usercert.pem
我们会观察到OCSP工作正常
Response Verify OK
01:good
This Update:aug 4 09:20:46 2018 GMT
然后打开WindowServer,导入相关证书,使用```certutil```检查
Certutil-url C:\USERS...\CACERT.CRT
选择检索方式为OCSP,点击检索
The result of "Invalid signer Eku"/"Invalid signer Eku" appears in the end.
I guess after all our self-signed certificate, the server can not verify our identity it.
Reference
[SOLVED] Rdp-a revocation check could not being performed for the Certificate-microsoft Remote Desktop services-spiceworks
Robiii:configure your Windows Remote Desktop (RDP) to the use of TLS with a STARTSSL certificate
Rds:rd Gateway must is configured to use an SSL certificate signed by a trusted certification authority | Microsoft Docs
Implementing an OCSP Responder:part i–introducing OCSP | Ask the Directory Services Team
Openssl:how to setup a OCSP server for checking third-party certificates? -Server Fault
Windows Server R2 Remote Desktop security certificate Warning-zlyux-51cto Blog
OpenSSL OCSP-CSDN Blog
/docs/manmaster/man5/x509v3_config.html
How to make a certificate with the OpenSSL tool and its considerations summary-CSDN Blog
How to create and administer-Certificate chains, part I
Ssl-openssl CA keyusage Extension-super User
Statement
This article uses the Creative Commons Attribution-Non-commercial use-share 2.5 Chinese mainland License Agreement license in the same way, publishes in CSDN and the blog Garden, welcome the reader to reprint, but does not have the author consent must retain this paragraph statement, and in the article page obvious location gives the original text connection! Please respect the reader/crawler版权
Use OpenSSL to create a self-signed certificate for windowsserver Remote Desktop (RDP) (self-signed SSL certificate)