Join Log in
Score:0
Synertry avatar Server

With multiple RDP certificates, do all get checked?

vn flag
Synertry

If a Windows host has multiple RDP certificates. Do all get checked while connecting or only the first found?

I have a RDP certificates deployed from an Root CA with now invalid OCSP location in the AIA. Connecting to every hosts now takes obviously more to check the invalid OCSP address. I would deploy additional valid RDP certificates, but I am unsure how it handles both certificates. If I am correct, then it won't bother to check expired certs.

But would it check all RDP certs if they are not expired and then of course still complain about the invalid OCSP?

I would hope that it somehow is satisfied with one completely valid RDP cert.

With RDP certificate I mean a certificate with enhanced key usage of value "1.3.6.1.4.1.311.54.1.2"

105
2 + 0
rdp
Score:2
LeeM avatar Server
cn flag
LeeM

If you're not deploying them via Group Policy at present, I recommend you do so. This article describes how to create a custom cert template and GPO to get your servers enrolling and binding the correct cert.

The reason I suggest it - if you have an internal CA - is that it might be cleaner to simply replace the certs you have, using the GPO to force it. If you already have this setup, then tweaking the cert template and selecting the option to force all clients to re-enroll might get them to acquire and bind the new cert.

To answer your actual question, if you have multiple valid certs with the correct EKU, I believe RDP will bind with the cert that has the longest validity interval left (I did a brief search, but I can't find a reference for that right now). It might be worth finding a few machines in that situation and checking which cert thumbprint is being used for RDP vs what valid certs are in the store.

That's part of the reason I suggest issuing new certs across the board - if they're newer/have longer to run, RDP should bind to those rather than the ones with the incorrect OSCP. If that seems consistent, hopefully that'd avoid having to script a solution to force which local cert to bind. In my experience, refreshing/reissuing a valid cert works without additional steps required.

+ 2
Synertry avatar
vn flag
Synertry
I have set up a two-tier hierarchy on top of the Windows certificate services, but I am migrating to EJBCA and replacing the root cert, because of the old imprinted AIA and CRL locations. The current set of RDP certs are enrolled via GPO, but I am unsure if changing the Root cert auth and probably the intermediate auth will cleanup the old invalid certs. Using the same cert template name from a new intermediate should do the trick, shouldn't it? Also thanks for answering my actual question. I will mark your answer as the correct one for that.
1
Reply
LeeM avatar
cn flag
LeeM
I'd actually suggest a new template and updating your GPO accordingly if you're changing the issuing CA, because that'll force a new enrolment when the servers do a GP refresh, with less ambiguity about whether they'll wait till the current cert gets to the renewal interval. A different template name could also be handy if you want to script some checks on the servers. I suggest testing either way out with a few machines and a custom RDP enrolment GPO first (and ensuring security on the test "same name"/"different name" cert templates is locked down to your test server groups)
0
Reply
Score:1
Synertry avatar Server
vn flag
Synertry

It seems it is possible to force bind an cert for the RDP connection. (Credits to the fellow on Reddit)

This checks the current bound certificate:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash

And this can set it:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<THUMBPRINT>"

If setting a new cert does not work over wmic, you can also edit the registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

  • Value name: SSLCertificateSHA1Hash
  • Value type: REG_BINARY
  • Value data: (certificate thumbprint)

Be careful! Setting an invalid cert makes a new RDP connection impossible.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.