Replacing the default (self signed) certificate on a RD Session Host server

Many times I wanted to get rid of that annoying certificate warning message when I make a RDP connection to a RD Session Host server or a workstation. If you are using RDP inside an Active Directory network, the warning is gone, because the connection is using kerberos for security, but if you are connecting from outside to the inside, well…you will be prompted to accept the server certificate, and this is because the certificate is self signed and is not trusted. The following method works for clients OS (Win XP, Vista,7) too, not just for RD Session Host servers.

To install a trusted certificate I will use a script that I found on Microsoft technet. For this guide an Enterprise Internal CA will issue the certificates since is cheaper and much easy to work with, but if you have a lot of external clients a commercial certificate is recommended. To start we need to request and install a certificate on the local computer store on the RD Session Host server. For that open the Certificates Store console (Start > Run > mmc), select Certificates and click the Add button. On the wizard that just popped-up choose Computer Account > Local Computer.

If you click the Personal folder inside Certificates Store you can see that is empty. Now we need to request a certificate from our Internal CA.

Right click the folder and choose All Tasks > Request New Certificate.

Since we have an Active Directory infrastructure here, we are going with Active Directory Enrollment Policy, so leave the default selection and press Next to continue.

Check the Computer box, then click the Enroll button. Is useless to click the Properties button for further customization of the certificate (eg: SAN attribute, exportable key, etc) because the template from AD Certificates Services is configured to take the information from AD. If you want to have a certificate that you can further customize you will need to create a new template in AD Certificates Services.

If the operation is successful, click Finish to close the wizard.

Now the certificate is installed in our local computer Certificates Store. The next step is to replace the default self-signed certificate with this one, which is trusted by all our internal clients, and external ones if the root certificate is installed on them.

Now what do you do if you want to install a commercial certificate on the server ? Well…instead of choosing Request New Certificate from the menu, choose Import Certificate then provide the certificate you downloaded from the Certification Authority.

Be aware that the certificate needs to have the Server Authentication policy, or is not going to work.

Now open the certificate properties and go to the Details tab. Here, if you scroll down there is a Thumbprint field; click on it and copy to a notepad file the thumbprint. Remove the spaces between the numbers.

Copy the bellow script and save it in a file with a js extension on your RD Session Host C drive. This is not an absolute path, but is easier to work with, you can save it anywhere you want to.


var strComputer = ".";
var strNamespace = "\\root\\CIMV2\\TerminalServices";
var wbemChangeFlagUpdateOnly = 1;
var wbemAuthenticationLevelPktPrivacy = 6;
var Locator = new ActiveXObject("WbemScripting.SWbemLocator");
Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;
var Service = Locator.ConnectServer (strComputer, strNamespace);
var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");
if (WScript.Arguments.length >= 1 )
TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);
TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";


Open a terminal, go to the script location (in my case is the root of the C drive) and put the following command, then press ENTER:

cscript scriptname.js thumbprint

in my case is:

cscript replacecert.js 2f63fae0ab4fa989bacfa55a4848b5c6ade915fd

Now if you create a RD connection the certificate warning should not appear any more, because the connection is trusted. Off course you will need to use the FQDN that you put in the certificate, or the warning is back Laughing.



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.