Windows Remote Desktop & SSL Certificates

windows-server-2012-logo-COMODO-600

Recently I had the need for an externally hosted Windows server outside of my normal operating network. Normally the servers I use are managed by someone else and I only really deal with the web server aspect of them. This means I’d never really had to concern myself too much with the remote desktop security of them.

Firing up a remote desktop instance to this new VM gave me the standard warning you get on a Windows server about the uncertainty of its identity. Given that I was going to be hosting an Apache instance on it that would be using a SSL certificate, I wondered if there was a way to get the two playing nicely, and cheaply.

In short: Yes, it turns out there is, but quite a few of the instructions on the web for remote desktop / SSL certificates I found were out of date. This is simply what worked for me.

Before I detail this though, I just want to make a point on security: It’s important. Professionals who work in the security industry charge a lot because the cost of being insecure can cost magnitudes more. That and it’s a complex area which is constantly changing – the attacks of tomorrow are not known, so they need to be able to react to them at short notice. You only need to look at Heartbleed to see how serious mismanaged security can be. I am not a security professional – just someone who likes to try and keep up to date on things as a hobby. If you want to ensure security – pay for it.

I’m going to be using a SSL certificate from CheapSSL , specifically the COMODO Positive Certificate. There are others you can buy, but I really have no need for them on what’s little more than a development test machine. At under $5 for the year, it’s a bit of a no brainer.

What SSL certificate you should go with is a discussion that’s been had many times on various forums, so I’m not going to repeat it here. If you’re running a large website or anything corporate, I’d recommend shelling out the extra cash and getting an ‘extended validation certificate’. Anyway, on to the server side of things….

 

On your Windows server, install OpenSSL. Always use the latest version. I’ve found the site here to be very useful.

I’d recommend setting up an environment variable so Apache can find OpenSSL:

set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

 

Make sure you use the correct directory for Win32/64, depending on what you install.

Open the CLI as an admin and navigate to the OpenSSL binary directory. This is probably ‘C:\OpenSSL-Win32\bin’ if you used the standard install from above.

Generate a new CSR file. I’m not going to get into all of the OpenSSL options here, but this works for me at the time of posting:

openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key server.csr

I’d strongly recommend using the –sha256 flag, as SHA-1 is being deprecated across the web.

 

Once you execute the line, you’ll be asked a series of questions. Again, there is absolutely a load on the web regarding these and they’re quite self-explanatory. Just make sure you enter the correct server address and county code (GB for example, and not UK!) and you should be okay.

When complete, you’ll end up with 3 new files in your OpenSSL bin directory: myserver.key, server.csr and .rnd.

 

Login to CheapSSL, buy your certificate and go to the page that is asking for the CSR.

I’ve found the easiest way to fill this out is to open the csr file in Notepad++ and simply copy and paste the information into the field.

For the server type, I went with “Apache & OpenSSL”, because this is what will be using it later on. Make sure SHA2 is selected if it asks.

Check the details on the next page. If correct, choose the email address to verify with and continue.

Check your email and validate the request.

After a short amount of time, you should be able to download a zip file which contains several certificates. Copy these to a directory on your server and extract, if they’re not there already.

At this stage I install all of the certificates under the ‘local machine’, apart from the one directly linked to the domain. These will normally have “Root”, “TrustCA” and “CA” in their names. You can do this by simply double clicking them and telling Windows to put them in the place they should be, based off their certificate type. There are 3 to install for COMODO.

 

 

You’ll now need to put 2 files into the OpenSSL bin directory (to keep things easy). The first is the certificate that’s based on your domain. This will be the certificate you didn’t install from the zip file.

The second is the ‘bundle file’. You can either make this yourself or download a premade one

In the CLI, run:

C:\OpenSSL-Win32\bin>openssl pkcs12 -export -out YOURDOMAIN.pfx -inkey myserver.key -in YOURCERTNAMEHERE.crt -certfile comodossl.ca-bundle

It’ll ask for an export password. Use a strong password that you will keep in a safe place. I personally use 32 character alphanumeric & special characters.

This will give you a new file called ‘YOURDOMAIN.pfx’. It’ll have a little key in the corner of the icon.

Double click this file to import it. Select Local machine, confirm the filename, and enter your export key you used previously. I don’t mark the certificate as exportable at this stage, but that’s up to you.

Select automatically place in correct location and finish.

Open a new powershell console and enter:

get-childitem cert:\localmachine\my

You’ll get a list of certificates along with their ‘thumbprints’.

Look for your domain and copy the entire thumbprint value, being careful not to have any spaces at the start of the end.

Finally, enter the following line in powershell:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”THUMBPRINTHERE”

You should see ‘Property(s) update successful.’

Congratulations, you now have the certificate install for remove desktop use and a SSL certificate you can use with your Apache (or other) server.

2014-10-24_17-16-08

Remote Desktop with server certificate

Remember – if you want to see this, or other certificates you can use ‘MMC’ and add the certificates snap-in.

Finally – make sure you backup your files, including the keys and keep them safe!