Replace Remote Desktop certificate with a signed certificate



When we connect remote desktop in LAN, we will often face warning that the certificate is not issued by a trusted CA.  If you have a domain, you can issue trusted certificate automatically to all domain computers.

Setup CA

  1. Install CA role on any servers in the domain.
  2. Push root CA into domain by Group Policy
    1. Export the root CA
    2. Put it into Group Policy
  3. Therefore, all CA issued will be trusted by all domain computers automatically.


To create new certificate automatically.

  1. Follow this instruction to
    1. create a Certificate Template “RemoteDesktopComputer”
      1. For step 8, remove “Client Authentication” and leave “Server Authentication”.  Step 9-13 can be skipped.
    2. Use Group Policy to push the Certificate template to domain computers.
  2. You may need to use gpupdate /force to force computer to have immediate update of the policy.  You may also need to disable/enable the remote desktop in order for the computer make request to CA to have a new cert.
  3. You can go back to certsrv at CA to verify that certificate has been issued automatically.



Popular Posts