Don’t you love it when you find that you never publish an old blog! This was originally created in 2022 but I have published. My question is why didn’t I shave before doing the video. Anyways here it is now. As you might have known I recently being working on a set or article that are all about PKI. But my last article was on Remote Desktop Connection Manager (RDCM), it was called What is RDCM?. I need to post the RDCM before I could talk about How to Create RDP Certificates. Without it this article would be a bit flat.

Remote Desktop Connection Certificate trust messages.

If you have used either RDCM or Remote Desktop Connection (RDC), I’m sure that you have see this annoying message. Worst yet it when it pops up behind the RDCM or RCM window. When this happened, you need to close RDCM, making sure RDCM is not full screen. Then you can get by the message.

Why does this warning message happen?

This simple answer is because each computer uses as self-sign certificate. Them means that of course your local computer does not trust it. This also means that you must validate that you Trust this computer that you are RDPing too. More importantly it is because communication between the two computer is encrypted and therefore secure. e.g. no man in the middle attacks.

This screenshot shows you that the certificate is self signed and that it is only valid for 6 months. Using a CA, would allow for the Cert to be renewed without any action on your part. And it will allow you to avoid seeing the “trust” this cert warning message again every 6 months.

Also because we created our own Certificate Authority (CA), we can now issue certificate for any purpose and therefore make this message a thing of the past.

The process is as follows:

  • Create an RDP Template
  • Create a GPO to automatically assigned RDP certificates to each computer

Create an RDP Template

OID

One piece of information that you will need before starting it the OID that we will extend the certifate template with. That OID is 1.3.6.1.4.1.311.54.1.2, you can read more about it on one fo the various OID lookup website. https://oid-rep.orange-labs.fr/get/1.3.6.1.4.1.311.54.1.2

Starting on your Certificate server. Load Certificate Authority, then expand Certificate Templates, right click and select Manage.

In the Certificate Template console, Locate the Computer template, right-click and select Duplicate Template.

On the General tab, Give the template a name.

Ensure that Application Policies is selected and click Edit.

Click Add.

Click New… button.

Enter an Application Name and the Object Identifier 1.3.6.1.4.1.311.54.1.2 before clicking OK.

Note:

If the OID already exists, you will receive a pop up like above.

Click OK to close the Add Application Policy window.

Select Client and Server Authentication and click Remove. Once completed Click OK to return to the template properties window.

Click OK to complete the template, then close the Certificate Template window. At this point you will want to wait for replication to occur.

Once replication has occurred, return to Certificate Authority MMC. Select Certificate Template and right-click point to New then Certificate Template to Issue.

Select the Template name and click OK. With that last step done, the Certificate template is ready to be issued.

How to Create RDP Certificates Video?

In this video, I will go over the step listed above so that you can see the whole processes in action.

Finally, don’t forget that you can subscribe to my YouTube channel and newsletter to stay on top of the latest trips and tricks. Additionally, if you have any questions, please feel free to touch base @Garthmj.