Configuring RDP Listener Certificates With Windows Server 2016
Saturday 22nd October, 2016 16:18
There are many things I like about Server 2016 (and Server 2012 R2), but the removal of the Remote Desktop Configuration Manager MMC snap-in that was really useful in Server 2008 (which used to run this web server for several years) makes it a lot more difficult to configure a different certificate for the RDP listener. Instead of a few clicks in a GUI you now have to find the SHA1 hash and use the command line (although you can do it by adding a registry key, but WMI is easier in my opinion).
I went with Method 1, Using Windows Management Instrumentation (WMI) script, to configure the use of my certificate on my shiny new VM running Server 2016. After identifying the SHA1 hash of the certificate, the following command can be used on newer versions of Windows including Server 2016 to replace the default self-signed certificate:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"
Not that you'll see the certificate, as I've locked down access to RDP to a handful of trusted IP addresses.
EDIT: Just a quick note in case that other page disappears. The thumbprint is the "Thumbprint" entry when viewing the certificate in IE, or the "Certificate Hash" when viewed in IIS Manager. Make sure to remove the invisible character at the start of the thumbprint, if one's there, and remove all of the spaces between the pair of characters.
I went with Method 1, Using Windows Management Instrumentation (WMI) script, to configure the use of my certificate on my shiny new VM running Server 2016. After identifying the SHA1 hash of the certificate, the following command can be used on newer versions of Windows including Server 2016 to replace the default self-signed certificate:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"
Not that you'll see the certificate, as I've locked down access to RDP to a handful of trusted IP addresses.
EDIT: Just a quick note in case that other page disappears. The thumbprint is the "Thumbprint" entry when viewing the certificate in IE, or the "Certificate Hash" when viewed in IIS Manager. Make sure to remove the invisible character at the start of the thumbprint, if one's there, and remove all of the spaces between the pair of characters.