Signing .rdp file with let's encrypt certificate

I am using certbot in WSL on win server, i have a domain littler-rm-dsksrv.com and i successfully obtained the certificate:

user@vmi1895852:/mnt/c/Users/Administrator$ sudo certbot certonly --cert-name littler -d littler-rm-dsksrv.com --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
2: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A separate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/littler.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for littler-rm-dsksrv.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/littler/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/littler/privkey.pem
This certificate expires on 2025-02-14.
These files will be updated when the certificate renews.

I exported this certificate to pfx:

sudo openssl pkcs12 -inkey /etc/letsencrypt/live/littler/privkey.pem -in /etc/letsencrypt/live/littler/fullchain.pem -export -out rp.pfx

susseccfully

After that i imported this certificate in windows certificate storage for current user so it is in:

Certificates - Current User -> Personal -> Certificates

Here is the screenshot:

cert1577×464 29.2 KB

I then copy thumbprint from this certificate details and sign the rdp file (12.rdp):

rdpsign.exe /sha256 6d67db78b3871f383e0145544a706446235f02da 12.rdp
Unable to use the certificate specified for signing.  Error Code: 0x80090016
The rdp file could not be signed.  Error Code: 0x80090016

Can someone help what i do wrong?

Why do you need to sign that file?
[what are you going to use that file for/with?]

Let's Encrypt certificates aren't meant to sign files.

You specified SHA-2, but instead used the SHA-1 fingerprint. Use this SHA256 value instead:

2b3bef6949c52e22e0ecdf483d38b509f9bf367c2e3b8a67ef7a4aca09f39aa4

For others reference, because I also had to look this up: It's perfectly valid to use a webPKI serverAuth certificate for RDP file signing, as per this Microsoft (ex-MSDN) article and this blog post.

While Certbot looks to run on WSL is that the only reason you are using WSL?

Because a Windows focused ACME Client, like Certify the Web would likely be easier to integrate for this. I don't know much about RDP but there is an export task built-in

LE certs can be used directly for RDP.
So, I don't get the whole signing part of the process.

Totally fair. I think there was mixed signals. WSL and Certbot and pfx were peculiar in its own right

You can use an LE cert for your actual RDP service (e.g. RDP Gateway etc), but the signing of the RDP file you give out to users is done by your RDP admin tool and it's not the same thing. rdpsign | Microsoft Learn

You could maybe try using an LE cert, but I presume it won't work (I haven't checked the enabled usage attributes on a current LE cert), I think it usually just uses a self-signed cert generated on the machine itself rather than a public cert, but I'm not an RDP admin.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.