For PCI compliance, a requirement is to have RDP port 3389 connect with TLSv1.1 or TLSv1.2 and have the certificate have the same name as the server. Most servers issue self signed certificates which is not acceptable with PCI compliance.<\/p>\n
To fix this, you have to re-issue new certificates from a trusted CA. You should use an internal CA within your company to avoid the cost of purchasing and maintaining certificates for RDP services.<\/p>\n
Issue a certificate from your Root CA. You can go through the process I’ve outlined to create a certificate using OpenSSL<\/p>\n
Import the certificate to the store using MMC and add the Certificates snapin<\/p>\n
Move the Root and Intermediate to the correct store<\/p>\n
Get the SHA1 thumbprint off of the certificate by opening up the certificate, go to the “Details” tab and scroll down to below the Thumbprint algorythm and selecting the “Thumbprint”
\nhighlight the thumbprint
\ncopy the thumbprint into a Command Shell and remove the spaces and the hidden character at the beginning.<\/p>\n
Put the thumbprint in this command and run it on the server<\/p>\n
wmic \/namespace:\\\\root\\cimv2\\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=\"<EnterSHA1ThumbprintHere>\"<\/pre>\nRestart Remote Desktop Services Note: this will disconnect you from your RDP session.<\/p>\n
Log back in and you should not be prompted.<\/p>\n
Retest by scanning your computer with Nessus or another approved scanning software.<\/p>\n","protected":false},"excerpt":{"rendered":"
For PCI compliance, a requirement is to have RDP port 3389 connect with TLSv1.1 or TLSv1.2 and have the certificate have the same name as the server. Most servers issue self signed certificates which is not acceptable with PCI compliance. To fix this, you have to re-issue new certificates from a trusted CA. You should […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[68,67,92],"tags":[98,97],"class_list":["post-223","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-certificates","category-pci","tag-issue-certificate","tag-rdp-certificate"],"aioseo_notices":[],"yoast_head":"\n
How to add a AD CA certificate to Windows 2012 RDP for PCI compliance - System Admin [RESOLVED]<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to add a AD CA certificate to Windows 2012 RDP for PCI compliance - System Admin [RESOLVED]\" \/>\n<meta property=\"og:description\" content=\"For PCI compliance, a requirement is to have RDP port 3389 connect with TLSv1.1 or TLSv1.2 and have the certificate have the same name as the server. Most servers issue self signed certificates which is not acceptable with PCI compliance. To fix this, you have to re-issue new certificates from a trusted CA. You should […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/\" \/>\n<meta property=\"og:site_name\" content=\"System Admin [RESOLVED]\" \/>\n<meta property=\"article:published_time\" content=\"2017-11-28T20:59:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-11-30T22:08:51+00:00\" \/>\n<meta name=\"author\" content=\"Ed Rockwell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@EddieRock\" \/>\n<meta name=\"twitter:site\" content=\"@EddieRock\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ed Rockwell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/\"},\"author\":{\"name\":\"Ed Rockwell\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7\"},\"headline\":\"How to add a AD CA certificate to Windows 2012 RDP for PCI compliance\",\"datePublished\":\"2017-11-28T20:59:40+00:00\",\"dateModified\":\"2017-11-30T22:08:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/\"},\"wordCount\":234,\"commentCount\":0,\"keywords\":[\"Issue Certificate\",\"RDP Certificate\"],\"articleSection\":[\"Active Directory\",\"Certificates\",\"PCI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/\",\"url\":\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/\",\"name\":\"How to add a AD CA certificate to Windows 2012 RDP for PCI compliance - System Admin [RESOLVED]\",\"isPartOf\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#website\"},\"datePublished\":\"2017-11-28T20:59:40+00:00\",\"dateModified\":\"2017-11-30T22:08:51+00:00\",\"author\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.edrockwell.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to add a AD CA certificate to Windows 2012 RDP for PCI compliance\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#website\",\"url\":\"https:\/\/www.edrockwell.com\/blog\/\",\"name\":\"System Admin [RESOLVED]\",\"description\":\"How To: Make My DevOps Life Easier\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.edrockwell.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7\",\"name\":\"Ed Rockwell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g\",\"caption\":\"Ed Rockwell\"},\"sameAs\":[\"http:\/\/www.therockwells.net\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to add a AD CA certificate to Windows 2012 RDP for PCI compliance - System Admin [RESOLVED]","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/","og_locale":"en_US","og_type":"article","og_title":"How to add a AD CA certificate to Windows 2012 RDP for PCI compliance - System Admin [RESOLVED]","og_description":"For PCI compliance, a requirement is to have RDP port 3389 connect with TLSv1.1 or TLSv1.2 and have the certificate have the same name as the server. Most servers issue self signed certificates which is not acceptable with PCI compliance. To fix this, you have to re-issue new certificates from a trusted CA. You should […]","og_url":"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/","og_site_name":"System Admin [RESOLVED]","article_published_time":"2017-11-28T20:59:40+00:00","article_modified_time":"2017-11-30T22:08:51+00:00","author":"Ed Rockwell","twitter_card":"summary_large_image","twitter_creator":"@EddieRock","twitter_site":"@EddieRock","twitter_misc":{"Written by":"Ed Rockwell","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/#article","isPartOf":{"@id":"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/"},"author":{"name":"Ed Rockwell","@id":"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7"},"headline":"How to add a AD CA certificate to Windows 2012 RDP for PCI compliance","datePublished":"2017-11-28T20:59:40+00:00","dateModified":"2017-11-30T22:08:51+00:00","mainEntityOfPage":{"@id":"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/"},"wordCount":234,"commentCount":0,"keywords":["Issue Certificate","RDP Certificate"],"articleSection":["Active Directory","Certificates","PCI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/","url":"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/","name":"How to add a AD CA certificate to Windows 2012 RDP for PCI compliance - System Admin [RESOLVED]","isPartOf":{"@id":"https:\/\/www.edrockwell.com\/blog\/#website"},"datePublished":"2017-11-28T20:59:40+00:00","dateModified":"2017-11-30T22:08:51+00:00","author":{"@id":"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7"},"breadcrumb":{"@id":"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.edrockwell.com\/blog\/add-ad-ca-certificate-windows-2012-rdp-pci-compliance\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.edrockwell.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How to add a AD CA certificate to Windows 2012 RDP for PCI compliance"}]},{"@type":"WebSite","@id":"https:\/\/www.edrockwell.com\/blog\/#website","url":"https:\/\/www.edrockwell.com\/blog\/","name":"System Admin [RESOLVED]","description":"How To: Make My DevOps Life Easier","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.edrockwell.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7","name":"Ed Rockwell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g","caption":"Ed Rockwell"},"sameAs":["http:\/\/www.therockwells.net"]}]}},"_links":{"self":[{"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/posts\/223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/comments?post=223"}],"version-history":[{"count":2,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/posts\/223\/revisions"}],"predecessor-version":[{"id":229,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/posts\/223\/revisions\/229"}],"wp:attachment":[{"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/media?parent=223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/categories?post=223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/tags?post=223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}