I’ll give you the manual steps that I take. I only have a couple of client stations that it is needed on, so I have not taken the time to automate the process. Besides, this is the best way to see what is actually happening.
- Even though we have a valid LetsEncrypt certificate in the server’s certificate store [Remote Desktop]-[Certificates], RDP clients still see a “The identity of the remote computer cannot be verified” message when trying to connect.
- We need to digitally sign the RDP files on the client machines with an SSL certificate to get rid of the message.
- First - Copy the Let’s Encrypt certificate that you want to use from [Personal]-[Certificates] and Paste it into the certificate store under [Remote Desktop]-[Certificates].
- Export that LetsEncrypt certificate on the server from the server’s certificate store under [Remote Desktop]-[Certificates].
- You MUST choose to include the cert’s Private Key when exporting.
- Copy the exported PFX file from the server to the client machines that have RDP files.
- On the client machine, import the server’s PFX format certificate into the client’s Personal certificate store.
- Now, we can use rdpsign.exe to sign the client’s RDP file that connects to the server.
- Go into the client’s certificate store to [Personal]-[Certificates].
- Open the imported cert and go the [Details] tab of the [Certificate Information] dialog.
- Choose [All Fields] from the first dropdown list.
- Find the value of the [Signature Hash Algorithm] … (probably SHA256, or maybe SHA1 on older certs).
- Find the value of the [Thumbprint] field. This will be a series of two byte characters that are separated by spaces.
- Copy the Thumbprint value and edit all of the white-space out of it, so that it is a solid string of characters. There may be an odd character at the front of the string - if so, that will need to be deleted. You might not be able to see this character, so it is best to place the cursor at the front of the string and just hit delete until the first real character of the thumbprint string is deleted - and then retype that character at the beginning of the string.
- Launch a Command Prompt (with admin privileges).
- Run this command with YOUR OWN values:
rdpsign.exe /sha256 f428629df8fdaefc701ee0335e956edc9844b0aa “C:\Users\bubba\Desktop\MyServerConnection.rdp” - If rdpsign completes successfully, you will see the message “All rdp file(s) have been succesfully signed.”
- Now, when that signed client is used to connect to its server the first time; the user will see the server name, etc.; and they will have to click on [Ok] the first time.
- After that, future RDP connections will connect with no messages.
CBruce