In a previous blog on Object Identifiers (OID) in PKI, I mentioned creating a certificate template for Remote Desktop Connection (RDP).  In this blog, I will show how to create the template, why the OID and extensions are important, and how to implement it and remove self-signed certificate warnings from RDP connections. 

Important Note

Prior to Windows Server 2012, a bug existed where using the template Display Name in the GPO (below), would trigger an enrollment, however the policy would not honor it. At each subsequent GPO refresh the process was repeated resulting in huge numbers of RDP certificates being issued. Pay close attention to this if there are server OS(s) below Windows Server 2012 in your environment and use template name or OID when specifying the RDP template.  A best practice I always follow is no spaces in template names and setting template name and template display name to match when possible.

Why Issue RDP Certificates?

There are multiple reasons to issue RDP certificates from a PKI. The most noticeable is the warning displayed when making an RDP connection to a server or client. Upon the first RDP connection, servers and clients generate a self-signed certificate, which are not trusted so the warning is displayed.

The identity of the remote computer cannot be verified. Do you want to connect anyway?

Clicking Yes, to connect sets a bad precedent, especially when checking the box to not be notified again. In servers and clients prior to Windows 8.1 and Server 2012R2, the self-signed certificates were issued based on a SHA1, until an update when they started issuing SHA2 based self-signed.

After following these steps, clients and servers the GPO is applied to will no longer generate the self-signed certificates and will use the trusted certificate issued from your PKI to secure the connection.

Current Policies & Corresponding OIDs

To view the policies and OID list, open the certificate templates console (certtmpl.msc), then right click on the console root at the top left and select “View Object Identifiers…

OID(s) that start with 1.3.6.1.4.1.311 are Microsoft based policies

The highlighted policy above is Microsoft’s OID designation for Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2) but isn’t present by default and must be created.

Creating Remote Desktop Authentication Policy

To create the policy, open certificate templates console (certtmpl.msc) then right click on the default Computer template and duplicate template. Highlight the Extensions tab and select Application Polices and click Edit.  Select Client and Server Authentication polices and Remove. Now click Add and the Add Application Policy box opens; select New and in the New Application Policy dialog box enter “Remote Desktop Authentication” in the Name field and 1.3.6.1.4.1.311.54.1.2 in the Object Identifier field (delete the default value in the box) then OK out. On the Security tab set Read and Enroll for targeted servers or groups. On the General tab, set the Template display name and Template name to match exactly with no spaces. (Example: NewRDPTemplate)

Utilizing the New Certificate Template

Publish the new RDP template to a certificate authority.  For servers to automatically enroll and stop generating and using self-signed certificates a GPO must be configured. The GPO settings are located under:  Computer Configuration, Policies, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Security, Server Authentication certificate template. Update the policy with the template name or OID of the RDP certificate template and select the enable radio button then OK. When the GPO refresh applies to targeted servers they will enroll for the new certificate and use it for RDP connections.

Configuration of GPO using Template Name
Template Name Example
Configuration of GPO using OID
OID Example

When setting the Certificate Template Name for RDP template in the GPO, rather than using the template name, the templates OID may also be used. The OID is shown under the Extension tab in the Certificate Template Information or via Certutil: Certutil -adtemplate -v “<template name>”.

Jake Grandlienard

About Jake Grandlienard

Jacob Grandlienard brings more than 19 years of industry experience as a senior level engineer. He has spent the past 10 years designing, leading, and training clients in Public Key Infrastructure (PKI) implementations for medium to enterprise-scale Fortune 500 companies. He specializes in PKI implementations of Microsoft-based identity solutions, including Microsoft Active Directory Certificate Services (ADCS) as well as integration with other security and identity management technologies. Jacob is a subject matter expert in PKI, mobile device management software, smart card management software, and Hardware Security Module (HSM) integration.

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.