Replace Self Signed RDP Cert with CA Signed Cert

jrd1989

4/17/23, 8:14 PM

A few servers are getting picked up by security scans with the following message:

The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority. | Subject : CN=serverabc.local | Issuer : CN=serverabc.local

The port referenced in the scan is port 3389 (RDP). The default RDP certs on each server (in the Remote Desktop cert store) are self-signed and still valid.

I think the issue comes down to the cert being self-signed and not being signed by a CA.

Would the following steps resolve this issue?

Create an internal Certificate Authority
Generate new CSR's for the vulnerable servers
Sign newly created CSR's with the mentioned CA
Replace current (existing) self-signed RDP certs in the Remote Desktop cert store with the CA signed certs on each vulnerable server

Is there any potential issue/problems with swapping out the existing cert with a CA signed cert?

I'd appreciate any help/guidance with resolving this, thanks.

572

0 + 0

rdp

remote-desktop

csr

certificate-authority

self-signed-certificate

Score:0

Server

joeqwerty

4/17/23, 9:20 PM

Certificates issued by the internal CA will only be trusted by clients that have the certificate in their certificate store (your domain members and other infrastructure where you install the certificate), which the security scanner surely won't have.

To use a certificate that will be trusted by the security scanner, you'll surely need to purchase a commercial certificate.

0 + 0

Crypt32

4/19/23, 10:44 AM

Downvoting, because offline security scanners often have an ability to use either, local trust certificate store (on a hosting machine which is part of enterprise environment and likely has internal root CA cert) or an option to add trusted root certificate in scanner configuration.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Replace Self Signed RDP Cert with CA Signed Cert

TH: แทนที่ใบรับรอง RDP ที่ลงนามด้วยตนเองด้วยใบรับรองที่ลงนามโดย CA

RO: Înlocuiți certificatul RDP semnat cu certificatul semnat CA

RU: Замените самоподписанный сертификат RDP на сертификат, подписанный CA

VI: Thay thế chứng chỉ RDP tự ký bằng chứng chỉ CA đã ký

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.