Create Self-Signed Certificate for Windows

I ran into an issue with a Windows server that lost its self-signed certificate (the circumstances surrounding this event are embarrassing, and therefore, irrelevant).  I needed to recreate the self-signed cert in order to Remote Desktop to the machine, but could not find a lot of references on doing so after a moderately exhaustive search online.  I found some generic OpenSSL references to self-signed certs scattered around (none specific to Windows) and pulled them together below.  So, if you’re in need of a self-signed cert for a Windows server in order to RDP, follow the directions below.

Download the OpenSSL Windows binaries.

Copy the contents of the Zip file to C:\openssl\ssl (this location is important due to hard coded references within the binary)

Navigate to C:\openssl\sll in Windows Explorer.  You’ll need to edit the openssl.cnf file to your specifications.  I uncommented and edited the keyUsage lines to equal dataEncipherment, keyEncipherment.  I added extendedKeyUsage = serverAuth as well.  These lines exist in several places in the file, and I’m sure they are for different configurations, but I was in a rush, so I didn’t experiment to find out exactly.

Open a command prompt and navigate to C:\openssl\ssl\bin.  Copy the following commands and follow the prompts to generate a self-signed cert that is usable to authenticate RDP connections:

openssl genrsa -des3 -out RDP.key 2048

openssl rsa -in RDP.key -out RDP.nopass.key

#When you get to this line, the most important prompt will be "Common Name (eg, YOUR name) []".  This is where you input the FQDN of the windows box
openssl req -new -key RDP.nopass.key -out RDP.csr -config ..\openssl.cnf

openssl req -text -noout -in RDP.csr

openssl x509 -req -days 3650 -in RDP.csr -signkey RDP.nopass.key -out RDP.crt -extensions v3_req -extfile ..\openssl.cnf

openssl pkcs12 -export -in RDP.crt -inkey RDP.nopass.key -out RDP.p12

Copy the RDP.p12 file to your target box and double click it to import.  Place it in the Remote Desktop cert store and reboot the box.

Remote Desktop connections will now work again.

Leave a Reply