How to get a SSL-certificate for your RDP

in ssl •  7 years ago  (edited)

Hey everybody, I want to explain you how to get a valid SSL certificate for your RDP connection.

Note: A valid certificate is not everything to take care about. Just think about brutforce-protection, ciphers and client vulnerbilities.

Why

If you connect to your RDP listener you'll get a warning box like the following:
2.jpg
Of course you can connect secure to the RDP listener by checking the certificate's hash but I know from own experience you'll get tired after the 20th time so you just click on "Yes" or "Ok". It's like the thing with the "I accept the privacy statement"-Button.

How

Common SSL certificates are based on the x.509 standard. x.509 is a certificate hierachy with a key-pair of public and private key. You can imagine that like a cash box, which you can close but not open without a key. The key to close the box is the public key. The private key (which is always in danger to be compromised) is to decrypt encrypted information (open the box). That's based on a math algorithm.

There is a PKI (Public key infrastructure) which delineate a hierachy. The head of the PKI is the CA (Certification authority). The public key of established CAs (there are many companys) is stored in everybody's clients.
Strictly speaking there is also a RA (Registration authority) that processes requests for certificates.
If you want to get a certificate you have to go to the RA and identify yourself with an ID card for example. The RA tells the CA that it can issue a certificate for you. The CA signs the certificate with it's private key and you'll get a code to generate your private key on your local computer. That's important to know because if the private key is generated by the CA-company they could copy the file (I heard that StartSSL/Startcom generated private keys on their servers but i am not sure. See Wikipedia - StartCom).

So now you'll have a private key and a public key. You can send the public key to everybody you want, but keep the private key secured!

In history it was a bonanza to be a CA. The best oligarchy ever! The companys demanded prices that a normal user cannot pay for. So the Mozilla Foundation, the Electronic Frontier Foundation (EFF) and some other institutions founded "Letsencrypt".

Practice

The registration system of Letsencrypt is simple, so also the certificates are simple (class 1):

  1. You request a certificate by the LE-RA for your common name (CN) www.your.domain
  2. The RA gives you a code back. You have to place this code into a file at www.your.domain/.well-known/ (port 80)
  3. The LE-RA-Servers will check if the code at www.your.domain/.well-known/ is equal to the code that was sent to you
  4. If that's the case you will get the certificate

All these steps should be done with a client program. For Windows i advise you to "Win-ACME". If you are running a webserver on a linux system "Certbot" is the address for you.

Was this article useful? Do you have questions? Just comment on below...

Trivia

Google Webmastertools uses a similar authentication to identify your Google account with a website. You need also there to place a file into your webspace to use Webmastertools.

More Information

Wikipedia - x.509
Wikipedia - Public key infrastructure
Github - Win-ACME
EFF - Certbot

▶️ DTube
▶️ IPFS
ssl windows tls letsencrypt dtube
7 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    0
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!