Step-by-step guide

  1. Create a working directory on the Desktop
    1. We will call it SSL
  2. Open the command prompt (CMD)

  3. Change directory to the SSL folder we just created

    cd Desktop/SSL

  4. Generate a Certificate Signing Request (CSR)

    openssl req -new -newkey rsa:2048 -nodes -out rdp.csr -keyout rdp.key

    You can also use the DigiCert Easy CSR tool.

  5. Get your certificate signed by your Certificate Authority of choice. We recommend DigiCert.
  6. Copy your signed certificate into the SSL folder on the Desktop.

  7. Create a PKCS#12 archive

    openssl pkcs12 -export -in rdp-signed.crt -inkey rdp.key -out rdp.p12 -certfile more.crt

    1. If your CA requires an intermediate certificate, append the following to the previous command before submitting it.

      -CAfile "intermediate_cert_from_CA.crt"
  8. Press the Windows key + R to open the Run dialog

  9. Run the local computer certificate manager

    certlm.msc

  10. Right-click the Personal store on the left

  11. Hover over All Tasks
  12. Click Import...
  13. Click Next
  14. Browse to the .p12 file from step 7
  15. Click Next
  16. Enter the password, if there is one
  17. Click Next
  18. Click Next again
  19. Click Finish
  20. Go to Personal > Certificates
  21. Double-click the imported certificate
  22. Click the Details tab
  23. Scroll down and click Thumbprint
  24. Copy the Thumbprint value to the clipboard
  25. Paste the thumbprint into Notepad and remove any spaces

  26. Open PowerShell and enter the following command, but don't press Enter yet

    wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<certificate thumbprint>"

  27. Replace <certificate thumbprint> with the thumbprint from Notepad

  28. Press Enter
  29. That's it! Your new certificate should now be active for new RDP connections!