Remote Desktop SSL

This guide explains how to request an RDP TLS certificate via Active Directory Certificate Services (AD CS), ensure it is installed correctly, and bind it to Remote Desktop.

Prerequisites

• The Windows server can enroll/request certificates from AD CS (permissions and network reachability).
• A certificate template exists that includes Server Authentication EKU and supports the required SANs.
• RDP enabled on the server.

1) Request the certificate (Windows GUI)

Request the certificate on the target server so the private key is generated and stored locally:

1. Run certlm.msc (Certificates — Local Computer).
2. Personal → Certificates → All Tasks → Request New Certificate…
3. Choose the appropriate template for an RDP/server TLS certificate.
4. Ensure the certificate includes the correct DNS names (SANs) for the host you expect users to connect to (example: rds.core.lef, desktop.core.lef).

2) Verify the cert has a private key

In certlm.msc under Personal → Certificates, open the issued certificate and confirm it shows:

• “You have a private key that corresponds to this certificate”
• Enhanced Key Usage includes “Server Authentication”

3) Bind the certificate to RDP

1. Run regedit
2. Navigate to: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp
3. Set SSLCertificateSHA1Hash (REG_BINARY) to the cert thumbprint (no spaces).
4. Restart the RDP service:

Restart-Service TermService -Force

4) Validate

• Connect via RDP from another machine.
• Confirm the presented certificate CN is rds.core.lef and chains to the internal CA.

Operational notes

• When the certificate is renewed/reissued, the thumbprint changes; update the RDP binding if needed.
• Protect exported private keys and PFX files; store/transfer them only via approved secure channels.

Related

Operate & troubleshoot Certificates LEF Root CA (internal) rds.core.lef