Change the RDP certificate for a Centrify Connector

The NativeRDP functionality requires two files:

  • A cert file RDPServer.crt
  • A key file RDPServer.key

Note:   The RDP code does not produce, acquire, or generate these files. These files are obtained prior to starting NativeRDP, as a preliminary step performed by the connector and/or manual install.

This page explains how these files are found by the connectorand how to change the default behavior.

How registry keys are used

The Centrify Connector uses several registry keys to produce the RDP key files required for Native RDP functionality. These key/value pairs are located in HKLM\SOFTWARE\Centrify\Cloud.

Key Type Description
CPS.RDPHostThumbprint String A thumbprint for the certificate from the Windows Certificate Store. This is used to generate the key files.
Cps.RDPHostStore String

The name of the Windows Certificate Store container. This is used to search for an installed certificate.

This container name is relative to Cert:\LocalMachine\. The default name is Remote Desktop with the full path of CERT:\LocalMachine\Remote Desktop.

CPS.RDPHostCert String

The encrypted content of the cert file.

Note:    This is only for generated certificates.

CPS.RDPHostKey String

The encrypted content of the key file.

Note:    This is only for generated certificates.

How the default functionality works

Generate key files from an existing certificate

By default, the Centrify Connector will attempt to generate the key files from an existing certificate . This certificate can be a self-signed certificate or one you've purchased (e.g. from GoDaddy), for use with NativeRDP.

Note:   In order to locate the existing certificate, it must be installed in the Windows Certificate Store, under the LocalMachine container.

By default, the connector will look for the file in Cert:\LocalMachine\Remote Desktop. This location can be changed using the CPS.RDPHostStore registry value. The connector looks in this store to find the thumbprint provided by the CPS.RDPHostThumbprint registry value. The thumbprint must be present to override the default behavior.

Generate a new certificate if one doesn't exist

If the connector does not find an existing certificate, it will generate one. When this happens, the connector wants to ensure the key files generated survive an upgrade, so they are backed up as secure registry values.

By default, a newly installed connector will generate its own certificate and back up the key files produced from that certificate in the secure registry keys CPS.RDPHostCert and CPS.RDPHostKey.

The certificate generated by the connector uses the default settings as defined by the N-Software third-party software library. See the documentation for N-Software for more information about the defaults used to generate the certificate.

The connector only sets the CN to the hostname, not the FQDN or IP.

Note:    The auto-generated certificate has about a one year expiration and the certificate won't be auto-renewed.

If the certificate is expired, the user will see a prompt during the Native RDP connection about the certificate expiration.

Extract certificate information

Once a certificate is present, the connector extracts the information into two files, RDPServer.crt and RDPServer.key. If these files were produced from a generated certificate, they also get backed up into secure registry values.

Once the backups exist, they are always used to restore the files on the disk when the connector starts. This means the following will occur:

  • If you delete the key files from the disk, they will reappear "automatically".
  • If the registry entries are removed, the connector will regenerate its own certificate for use.
To stop the default behavior, see Use your own certificate

Use your own certificate

To use your own certificate:

  1. Get or create a certificate. The certificate must have an exportable private key.

    To generate a self-signed certificate that can be used with CentrifyNativeRDP:

    1. Ensure the following are met:

      • The certificate must be run on the connector machine.
      • The DnsName should be a comma delimited list of all names you want this cert to match against. Generally, it should be:
        • FQDN (For example, hardhome.bespin.test)
        • Hostname (For example, hardhome)
        • IPAddress (For example, 192.168.132.105)
      • FriendlyName is optional, but recommended.
      • Set CertStoreLocation to the store name where this cert will be stored. This is always LocalMachine plus the directory name (e.g. Remote Desktop). This value must match the value in the Centrify registry settings.

        Note:   We recommend you use the default value for simplicity.

      • Set the NotAfter value, which supplies an expiration date. The example below uses a 3 year expiration from today.
    Copy

    New Self Signed Certificate

    $SelfSignedCert = New-SelfSignedCertificate -Type SSLServerAuthentication -DnsName $name -CertStoreLocation "cert:\LocalMachine\Remote Desktop" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddYears(3) -FriendlyName "Hello!"

  2. Install the certificate in the Windows Certificate Store.

    Copy

    Get Thumbprint

    PS> $SelfSignedCertificate.Thumbprint
    PS> $SelfSignedCertificate.Thumbprint | clip

    The installation:

    • Displays the thumbprint.
    • Copies the thumbprint to the clipboard for the configuration step.

  3. Configure the connector to use the certificate:
    1. Update the registry on the connector machine.
    2. Create a string value for CPS.RDPHostThumbprint, and set it to the thumbprint copied from the previous step.

      Note:   This is the key step in changing the default behavior.

    3. Restart the connector.
    4. (Optional) Delete the CPS.RDPHostCert and CPS.RDPHostKey registry values, if they exist.

Replace a RDP default self-signed certificate

To replace a certificate which enforces with the default domain group policy:

  1. Open the Group Policy Management application and edit the Default Domain Policy. This applies the Certificate Template to all the servers in the AD Domain.

  2. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.
  3. Open Server Authentication Certificate Template and for Certificate Template Name, enter the template name you created.
  4. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.
  5. Open Require use of specific security layer for remote (RDP) connections and change the Security Layer to SSL.
  6. Run gpupdate /force and restart Remote Desktop Services to immediately apply the settings.
    Copy
    #Force GPO to update immediately
    gpupdate /force
    #Restart RDS Service
    Restart-Service TermService

    The RDS Authentication Certificate will be installed under Certificates (Local Computer).

To manually replace a RDP default self-signed certificate

  1. Open the Certificate Authority and modify the RDS template:
    1. On the Compatibility tab change the following:

      • Certification Authority: Windows Server 2008 R2 or above.
      • Certificate recipient: Windows 7 / Server 2008 R2 or above.
    2. On the Subject Name tab, select Supply in the request and the check Use subject information from existing certificate for autoenrollment renewal request.

To request a RDS Certificate from the server:

  1. Open Certificates - Local Computer using certlm.msc and select Create Custom Request.

  2. Set Template to RDS and click Next.
  3. Click Properties.
  4. For Subject name, set Type to Common Name and for Type, enter the server FQDN and click Add, then Apply.
  5. On the General tab, specify a Friendly name to identify this certificate.
  6. Choose the file path to save the offline request and click Finish.
  7. Login to http://CA_SERVER/certsrv and click the Request a certificate link.
  8. Click advanced certificate request.
  9. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  10. Paste the content of the offline request into Saved Request and set Certificate Template to RDS.
  11. Click Download certificate.
  12. Import the certificate to Certificates - Local Computer.

  13. Verify the thumbprint of the RDS Certificate.
    Copy
    Set-Location Cert:\LocalMachine\my
    Get-ChildItem
    Thumbprint                                Subject
    ----------                                -------
    AA439E86EA877521C5A98460DBEBA70CC28C70E6  CN=ib-ccdb.ibernas.plgroup.com.my
  14. Replace the default self sign certificate with the RDS certificate.
    Copy
    #Replace Certificate for RDS
    wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="AA439E86EA877521C5A98460DBEBA70CC28C70E6"
  15. Verify the RDS Certificate installation.
    Copy
    Get-WmiObject "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "Termina
    lName='RDP-tcp'"
    SecurityLayer                          : 2
    SSLCertificateSHA1Hash                 : AA439E86EA877521C5A98460DBEBA70CC28C70E6
    SSLCertificateSHA1HashType             : 3
    Status                                 :
    TerminalName                           : RDP-Tcp
    TerminalProtocol                       : Microsoft RDP 8.0
    Transport                              : tcp
    UserAuthenticationRequired             : 1
    WindowsAuthentication                  : 0
    PSComputerName                         : IB-CCDB
  16. The new RDS Certificate will now connect to the server via Remote Desktop.