惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
V
V2EX
博客园 - 【当耐特】
Vercel News
Vercel News
雷峰网
雷峰网
爱范儿
爱范儿
WordPress大学
WordPress大学
云风的 BLOG
云风的 BLOG
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
F
Full Disclosure
有赞技术团队
有赞技术团队
Hugging Face - Blog
Hugging Face - Blog
NISL@THU
NISL@THU
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Attack and Defense Labs
Attack and Defense Labs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
Microsoft Security Blog
Microsoft Security Blog
腾讯CDC
P
Proofpoint News Feed
B
Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
K
Kaspersky official blog
I
InfoQ
Google Online Security Blog
Google Online Security Blog
L
LINUX DO - 最新话题
Project Zero
Project Zero
Engineering at Meta
Engineering at Meta
V
Visual Studio Blog
AI
AI
Schneier on Security
Schneier on Security
B
Blog RSS Feed
T
Tor Project blog
H
Help Net Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
S
Security @ Cisco Blogs
T
Threat Research - Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Cyber Attacks, Cyber Crime and Cyber Security
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
V2EX - 技术
V2EX - 技术
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
A
Arctic Wolf
Webroot Blog
Webroot Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main

Blog on KittenLabs

Marantz UD5007 power supply replacement GPD Pocket 4 Speaker DSP Extreme Pi Boot Optimization WiFi auth with OsmoHLR/SIM cards Windows 11 tweaks & usability improvements Using custom domains as a Fediverse redirect 25GBit/s on macOS & iOS Reviving a dead Gigabyte MJ11-EC1 mainboard Dead TROTEC PAC2000S air conditioner PlutoSDR standalone ADS-B FR24 feeder Micro8088 build log OpenWRT als WireGuard-Appliance GPS locked Raspberry Pi Es'hail-2 transceiver setup ThinkPad PowerSeries 820 PlutoSDR clock input WiFi over satellite TV coax
Manage RDP certificates on Windows using SSH
By Manawyrm (@manawyrm@chaos.social) | Friday, December 15, 2023 · 2023-12-15 · via Blog on KittenLabs

Push TLS certificates to a Windows machine from any SSH-capable machine (like a Linux box). Useful to deploy self-signed or Let’s Encrypt certificates for services like RDP or web servers.

Windows can use normal TLS certificates to authenticate RDP sessions. This gets rid of the annoying RDP certificate warnings: RDP certificate warning dialog

Using real, signed certificates for RDP offers a way to enhance security (preventing man-in-the-middle attacks) and reduce alert fatigue.

Prerequisites

  • SSH-capable machine with valid certificates (self-signed, Let’s Encrypt, etc.)
  • SSH private/public key pair on that machine
  • Modern Windows installation (Windows 11 Pro was tested)
  • Hostnames for the Windows machine

Install OpenSSH server

Read through the following help pages:

tl;dr:

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

Configure OpenSSH server

Open C:\ProgramData\ssh\sshd_config with a text editor running as Administrator (Notepad++ works well) and disable password logins. Find the following line:

#PasswordAuthentication yes

and change it to:

PasswordAuthentication no

Create C:\ProgramData\ssh\administrators_authorized_keys and put the SSH public key of the deploy box into the file.

Open a shell with administrator/elevated permissions and run:

icacls.exe "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"

to set the permissions of the authorized_keys file to be only accessible by SYSTEM and the administrative group.

Then start and enable the sshd service:

# Start the sshd service
Start-Service sshd

# Autostart sshd
Set-Service -Name sshd -StartupType 'Automatic'

Test SSH connection

Try to log onto the windows machine from your deploy box:

ssh myuser@windowsbox.example.com

Acknowledge the fingerprint warning and check if you get dropped into a cmd.exe shell.

certimport.ps1

On our deploy box, we’ll create a PowerShell script called certimport.ps1. Change example.com to the CN of your certificate. The certificate can have more hosts in the SAN fields, but the CN is used for managing/cleanup of old certificates.

$domain = "example.com"

# Import pkcs.pfx into the local key store
$pfxfile = "pkcs.pfx"
$CertificatePassword = ""
$certRootStore = "LocalMachine"
$certStore = "My"
$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import($pfxfile,$CertificatePassword,"Exportable,PersistKeySet,MachineKeySet")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$store.Open('ReadWrite')
$store.Add($pfx)
$store.Close()
$certThumbprint = $pfx.Thumbprint

# Set RDP certificate thumbprint to the new certificate
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="$certThumbprint"

Write-Output $pfx.Thumbprint

# Remove all old certificates from LetsEncrypt, for this domain and not using the new thumbprint
$date = Get-Date
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$store.Open('ReadWrite')
foreach($cert in $store.Certificates) {
  if($cert.Subject -eq "CN=$domain" -And $cert.Issuer.Contains("Let's Encrypt") -And $cert.Thumbprint -ne $certThumbprint) {
    Write-Log "Removing certificate $($cert.Thumbprint)"
    $store.Remove($cert)
  }
}
$store.Close()

Renew script

To upload the certificate to the windows box, run the following commands (manually or in your renew script):

openssl pkcs12 -passout pass: -keypbe NONE -certpbe NONE -nodes -export -out pkcs.pfx -in /home/acme/.acme.sh/example.com/fullchain.cer -inkey /home/acme/.acme.sh/example.com/example.com.key
scp certimport.ps1 myuser@windowsbox.example.com:
scp pkcs.pfx myuser@windowsbox.example.com:
ssh myuser@windowsbox.example.com "powershell ~/certimport.ps1 && del certimport.ps1 && del pkcs.pfx"

OpenSSL takes the full certificate chain (certificate + intermediate certs) and the private key and converts them into a PKCS12/PFX file.
SCP/SFTP is used to copy both the certimport.ps1 script and the pkcs.pfx certificate to the Windows machine.
The final SSH command then:

  • runs the powershell script
  • imports the certificate
  • sets the thumbprint for RDP
  • removes old certificates from Let’s Encrypt, with the same CN/domain and a different thumbprint
  • cleans itself and the certificate file up

Terminal, showing “renew.sh” running and updating RDP certificates

Troubleshooting

You can run certlm.msc to check the imported certificates:

certlm.msc, showing a certificate, including private key

At the bottom of the “details” tab, the SHA1 fingerprint is shown:

certlm.msc, displaying the certificates fingerprint info

You can check the currently configured RDP fingerprint by running:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash

wmic, displaying the configured fingerprint