Listener Certificate Configurations in Windows Server 2012 / 2012 R2
Published Mar 16 2019 05:25 AM 12.2K Views
First published on TECHNET on May 28, 2014

Hello AskPerf!  Kiran Kadaba here to talk about configuring Listener Certificates.

When we have the Remote Desktop Session Host role installed on a server, or have the server as part of an RDS collection/deployment, it’s quite easy to configure certificate through the connection broker UI.

We have received a high amount of inquires on how we can configure certificates if the server is not part of a deployment, and is simply being configured for ‘Remote Desktop for Administration’.

In Windows 2003/2008/2008 R2, we had the ‘Remote Desktop Configuration Manager’ MMC snap-in which allowed us direct access to the RDP Listener. Here we could bind a certificate to the listener and in turn, enforce SSL security for the RDP sessions.

In Windows 2012, we no longer have this MMC snap-in, nor do we have direct access to the RDP listener. You can follow the below steps to configure the certificates on Windows 2012/2012 R2.

This can be achieved in 2 ways:

Method 1:  Using WMI

The configuration data for the RDS Listener is stored in the ‘Win32_TSGeneralSetting’ class in WMI under the ‘Root\CimV2\TerminalServices’ namespace.

The certificate for the RDS listener is referenced through the ‘Thumbprint’ value of that certificate on a property called ‘SSLCertificateSHA1Hash’.

This thumbprint value is unique to each certificate. You can find the value using the following steps:

1. Open the properties dialog for your certificate and select the Details tab

2. Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad

Here is what the certificate thumbprint will look like in the certificate properties:

Once I copy this into notepad, it will look as follows:

After I remove the spaces, it will still contain the invisible ASCII character that will only be visible in the command prompt (shown below):

Ensure that this ASCII character is removed before we run the command to import the certificate

3. Remove all the spaces from the string. (Keep in mind that there may be an ‘invisible’ ACSII character that also gets copied. This is not visible in Notepad. Only way to validate, would be to copy directly into the command prompt window.)

4. This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

This solution would work on Windows 7 and Windows 8 systems as well.

Note: The certificate you want to use, must be imported to the 'Personal' Certificate Store for the Machine account, before you run the above commands. Failure to do so will result in a “Invalid Parameter” error.

Option 2:  Registry edits

  1. Install a server authentication certificate to the ‘Personal’ Certificate Store, using the Computer account.
  2. Create the following registry value containing the certificate’s SHA1 hash to configure this custom certificate to support TLS instead of using the default self-signed certificate.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    Value name:  SSLCertificateSHA1Hash
    Value type:  REG_BINARY
    Value data:  <certificate thumbprint>
    The value should be the thumbprint of the certificate separated by comma ‘,’ and no empty spaces. For example, if you were to export that registry key the SSLCertificateSHA1Hash value would look like this:

3. The Remote Desktop Host Services service runs under the NETWORK SERVICE account. Therefore, it is necessary to set the ACL of the key file used by RDS (referenced by the certificate named in the SSLCertificateSHA1Hash registry value) to include NETWORK SERVICE with "Read" permissions. To modify the permissions follow the steps below:
Open the Certificates snap-in for the local computer:

    1. Click Start , click Run , type mmc , and click OK .
    2. On the File menu, click Add/Remove Snap-in .
    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates , and click Add .
    4. In the Certificates snap-in dialog box, click Computer account , and click Next .
    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on) , and click Finish .
    6. In the Add or Remove Snap-ins dialog box, click OK .
    7. In the Certificates snap-in, in the console tree, expand Certificates (Local Computer) , expand Personal , and navigate to the SSL certificate that you would like to use.
    8. Right-click the certificate, select All Tasks , and select Manage Private Keys .
    9. In the Permissions dialog box, click Add, type NETWORK SERVICE , click OK, select Read under the Allow checkbox, then click OK .


1 Comment
Version history
Last update:
‎Mar 16 2019 05:25 AM
Updated by: