We have a Windows 10 Pro machine at our office which has an open port to the internet for incoming remote desktop connections (a ‘host’). It is well protected by complex password and limited number of permitted attempts and only TLS 1.1 or higher, but it doesn't present an externally-verified SSL certificate, only the self-generated self-signed one that Remote Desktop Services provides, and this gives us two problems:
- We cannot be fully confident when connecting remotely we really are connecting to this machine and not some hijacked connection.
- Our site fails PCI-DSS 3.1 compliance check (required because we use there a point-of-sale debit/credit card machine that connects via internet). The check reports fatal errors on this internet-facing remote desktop port: 'SSL Self-Signed Certificate' and 'SSL Certificate with Wrong Hostname'.
How do I get a Windows 10 Pro (or Windows 7 / 8 / 8.1 Pro) machine acting as server/host to present a proper SSL certificate for Remote Desktop verification?
Best Answer
You can set this host machine to use and present your (existing, purchased) externally-verified SSL certificate thus (instructions probably also work for Windows 8 & 8.1, may or may not work for Windows 7) (parts of this based on a Microsoft KB 2001849):
First, you need to have purchased a genuine verified ssl certificate.
If you have this certificate in pkcs12 format file (e.g. pfx extension) you can view SHA1 fingerprint using Linux or Cygwin thus (you will need it below):
Alternatively if you have the individual certificate files in your Linux server at /etc/ssl (/etc/ssl/certs/mysite.crt, /etc/ssl/mysite.ca-bundle and /etc/ssl/private/mysite.key) you can create pfx file and obtain SHA1 fingerprint thus:
Create pfx file for your certificate, if you don’t already have one (here: mysite.pfx) – set a good password when requested:
Move or copy this pfx file as required so that it is accessible by your Windows host machine.
openssl x509 -in /etc/ssl/certs/mysite.crt -noout -fingerprint
Import pkcs12 format (e.g. pfx) file into Windows host machine’s personal certificates store:
Use regedit to add a new Binary Value called SSLCertificateSHA1Hash at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
. The value it needs is the SHA1 fingerprint of the certificate obtained above: right-click on the new value, choose Modify and then type in the hex codes sequentially (without colons or spaces or commas, letters are not case-sensitive) – there are 20 hex pairs in all (40 characters).You may need to reboot the host machine, or restart Remote Desktop Services (from Services.msc) before it will work.
Now, after making a remote desktop connection to this host using the correct site name (e.g. mysite.com) you should see a locked padlock on the left-hand side of the top connection bar: clicking on this shows that the identity of the remote computer was verified. A port that is open from the internet through to this host should now pass PCI-DSS 3.1 hostname testing.