Creating a self-signed cert and trusting it for windows RDP (no domain)

certificate windows windows-10 security remote-desktop
10,828

Solution 1

There are at least three solutions to this dialog box:

  1. Check the Don't ask me again for connections to this computer checkbox
  2. Install the certificate used by the remote machine into your local machine Trusted Root Certification Authorities store
  3. Use a certificate signed by someone both computers trust

The first option is what most people do and it is perfectly fine to do that. It doesn't install the certificate or trust it completely but it remembers to trust this certificate for a RDP connection only and only to the computer with the used host name.

It creates a new registry key at:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers\Computer-1

with a Certhash value that has the thumbprint of the certificate.

If you delete this key, you get the dialog box again.

This exception is for your current user only, another user on the same machine has to do the same thing.

The second option is to actually trust the self-signed certificate. You have to start the Remote Desktop Connection as elevated administrator, then click the View certificate button, and on the next page the Install Certificate... button. Select Local Machine and Browse.... Use the Trusted Root Certification Authorities store and finish the import process.

Using this option any user on the computer can RDP into the remote machine without seeing the dialog, but you now added a new CA to your computer which is usually not the best idea and should be avoided. If someone hacks the remote computer, he could get hold of that certificate and use your trust in it for other purposes. The self-signed RDP certificate is for Server Authentication only, it can not be used to sign other certificates, but you never know.

When enabling RDP on the remote computer Windows creates this self-signed certificate automatically, but it is usually only valid for six months, so after six months you have to repeat either option one or two.

With option three you can get certificates that are valid longer but it requires you having your own CA or using a public one.

I would stick with option 1

Solution 2

Selecting 'yes' and checking the box for 'Don't ask me again ...' will accept the self signed certificate and not prompt you to approve that certificate again.

So yes - a cert was generated for you, it's perfectly fine to continue using that in this usage scenario, and you don't need to do anything else.

For personal use like this there is no need to pursue a 'real' cert signed by a CA, but opinions (and paranoia levels) vary. It's getting cheaper and easier to get legitimate certs, (see let's encrypt), but it's a bit of a hurdle to use those for RDP still.

One note: If you are connecting to this computer over the same VPN link from the same remote computer, and you have selected to trust the cert and 'do not show me again', but at some time in the future you are prompted again, that is when you should be somewhat concerned. That is how a man in the middle attack would present itself.

You can view the certificates from remote machines that you've trusted, implicitly due to being issued by a CA windows trusts or explicitly like in the case of this rdp cert using the cert mmc plugin described here

Share:
10,828

Related videos on Youtube

Tom Jenkinson
Author by

Tom Jenkinson

Updated on September 18, 2022

Comments

  • Tom Jenkinson
    Tom Jenkinson over 1 year

    I can use windows RDP to remote control my home PC (through a VPN), but I always get this warning:

    windows RDP certificate warning

    Do I need to manually generate a self signed cert and install it?

    Or has this already happened and can I trust the one that it is already providing?

    Does "Don't ask me again for connections to this computer" do this?, or does this just check the name and bypass checking the certificate at all?

    I still want to use the self signed certificate for verification. I just want my laptop to trust the self-signed cert.

    I'm on windows 10.

  • Tom Jenkinson
    Tom Jenkinson almost 8 years
    Thanks so my next question is where is the cert stored once I check that box? I've done it and it seems to work but I'm wondering where that certificate is now saved on my laptop.
  • Tom Jenkinson
    Tom Jenkinson almost 8 years
    "Local Computer -> Remote Desktop -> Certificates" shows a couple of certificates that are issued to my laptop from my laptop. Shouldn't there be one issued to my laptop by my computer here?
  • Tom Jenkinson
    Tom Jenkinson almost 8 years
    Thanks yes I can confirm it's at that location in the registry. I have also previously tried installing the certificate the way you suggested and even though there were no errors it seemed to work even though it didn't. I wasn't running as admin so that probably explains that! If I wanted I guess I could create a self signed cert myself with a longer expire time for option 3?
  • Peter Hahndorf
    Peter Hahndorf almost 8 years
    Yes, I guess you could create your own and install it into both the remote computer and your local one. I always use my own CA, so I haven't done much with self-signed certs.
  • trognanders
    trognanders about 7 years
    Once you have accepted option 1, isn't it basically impossible for someone to perform a MITM attack?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to make a self-signed certificate trusted?
How to login to different user in RDP locked system
For Windows 10 update, what are the IP address for firewall?
The quality of the connection to remote computer is poor
Identifying program attempting to install certificate on windows
How to check Windows Defender status via the command line?
Log in to Windows 10 as Administrator using RDP
Explorer stops working when connecting to workstation via RDP
Is it possible to require a TOTP on Windows Login using existing or custom software?
Adding ALL RESTRICTED APPLICATION PACKAGES to folder permissions