Change Windows RDP SSL Cert from Default to Comodo Free SSL

This article describes how to change the SSL cert for you Windows server to match a hostname so that when you remote desktop to a windows server, you don’t get a warning for the identity and the SSL cert.

Go to Sectigo (Comodo) and sign up for a free ssl.

https://ssl.comodo.com/free-ssl-certificate.php

First, generate a CSR.

One: https://knowledge.digicert.com/solution/SO21586.html

https://support.comodo.com/index.php?/Knowledgebase/Article/View/739/19/csr-generation-and-ssl-installation-for-ms-terminal-services-rdp

Set up the CSR

Godaddy – https://hk.godaddy.com/en/help/windows-generate-csr-for-code-or-driver-signing-certificate-7282

CSR Generation: Using certreq (Windows)
This article is for administrators who prefer the command shell!

Save the following file as request.inf on your server editing the subject according to the comment:

;----------------- request.inf -----------------

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "C=US, CN=something.example.com" 

KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
HashAlgorithm = SHA256 

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing
;-----------------------------------------------


then run

certreq -new request.inf request.csr

This add the key as well – https://blogs.technet.microsoft.com/rmilne/2014/06/17/how-to-request-certificate-without-using-iis-or-exchange/

re: https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/813/102/

Finish install:

https://www.youtube.com/watch?v=qDwF0_ax6_w

Leave a Comment