Replace Remote Desktop certificate with a signed certificate
When we connect remote desktop in LAN, we will often face warning that the certificate is not issued by a trusted CA. If you have a domain, you can issue trusted certificate automatically to all domain computers.
- Install CA role on any servers in the domain.
- Push root CA into domain by Group Policy
- Export the root CA
- Put it into Group Policy
- Therefore, all CA issued will be trusted by all domain computers automatically.
To create new certificate automatically.
- Follow this instruction to
- create a Certificate Template “RemoteDesktopComputer”
- For step 8, remove “Client Authentication” and leave “Server Authentication”. Step 9-13 can be skipped.
- Use Group Policy to push the Certificate template to domain computers.
- You may need to use gpupdate /force to force computer to have immediate update of the policy. You may also need to disable/enable the remote desktop in order for the computer make request to CA to have a new cert.
- You can go back to certsrv at CA to verify that certificate has been issued automatically.