Wednesday, June 15, 2011

Replacing Self Signed Remote Desktop Services Certificate on Windows 2008R2

I recently had an issue where users were no longer able to connect to a remote desktop services host because the certificate had expired. The error was:

“Remote Desktop Disconnected: Remote Desktop cannot connect to the remote computer because the authentication certificate received from the remote computer is expired or invalid.  In some cases, this might also be caused by a large time discrepancy between the client and the server computers.”

I knew that the times were correct, and after looking at the certificate, I realized it had expired.

I didn't see the need to buy a proper CA signed certificate for a server that was only accessible internally, so I decided to get rid of the old certificate and make the host create a new, self-signed certificate.

To do this:

 1. open mmc.exe (Microsoft Management Console)
 2. add the add-in - certificates (for the computer account) (and select local computer)
 3. navigate to the remote desktop folder -> certificates
 4. delete the certificate for the name of the server and close the mmc instance
 5. Go to: administrative tools -> remote desktop services -> remote desktop session host configuration
 6. Select the instance in the main window - rdp -tcp -> right click and select properties
 7. on the window that pops up, select default

Please Donate To Bitcoin Address: [[address]]

Donation of [[value]] BTC Received. Thank You.


Some IT Guy said...

Thanks for posting this, I found it very helpful in fixing an identical issue today, nearly identical situation, while the MS forums/Technet provided useless answers.

Anonymous said...

Very good! RDP recovered according to this post. Thanks.

peter.kerrigan said...

good god, this script had two errors in it! Here's the original webpage:

And the original (correct) makecert -n "CN=PowerShell Local Certificate Root" -a sha1 `
-eku -r -sv root.pvk root.cer `
-ss Root -sr localMachine

makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 `
-eku -iv root.pvk -ic root.cer

How did you manipulate Google to get your page ranked ahead of the MS source page?

Rivald said...

Script? What script?

Have you tried this on remote desktop services on 2008R2, or are you just assuming it's all the same. This is not talking about creating a cert for an IIS server... it's quite a bit more specific than that.

Sure, you can create a certificate with CLI tools (a la unix) but it's not even necessary in this instance.

There are no SEOs other than tags for each article. The article you posted to is just an article covering certificate creation on the CLI... plenty of articles covering that.

Anonymous said...

I know this post is fairly old but wanted to add something to it since I was looking at it just now with the same issue. The certifctae for RDS 2008 R2 is ALSO in under REMOTE DESKTOP SESSION HOST CONFIGURATION. Right-click on Connections (RDP-TCP) Properties.. GENERAL TAB.. Cetificate (located on the bottom of the page) click on select and actually select the public (purchased) cert otherwise when you launch the actual app for RDS from the web page it will still show the self-signed cet for it there even though the initial web page will show the verisign cert or whereever you bought it from.

- Glen R (Phoenix, AZ)

Anonymous said...

Great this worked for me after having RDP refusing connection for a while. THANK YOU.

Anonymous said...

Excellent post. I dealt with the "unsigned certificate" confirmations for months before I decided to actually look into the problem, and it was easy to fix following your instructions.

Thanks for the post

Anonymous said...

I created a self signed certificate and from remote desktop host configuration i added it to the RDP so that clients will have to be autheticated through ssl. after this, no more client can remote to the server (win 2008R2), what can i do next?

Rivald said...

You'll likely want to revert back to negotiate instead of SSL (in remote desktop session host conifugration) - at least until you can fix the issue.

I suspect that your clients are rejecting the self signed server certificate, but I'd have to look at the installation to tell.

a couple of useful links:

and a article which does a walk through of the necessary steps:

Nobody Special said...

Thank you very much for this post!

I used this information for an SBS2008 server to change from a self-signed to a verified third-party certificate. While I had already installed the certificate - and found it was enabled for our OWA/exchange/etc... I was still receiving the old self-signed certificate even after installing the shiny-new-paid-for certificate on our server with my remote administration login.

Using your instructions - I *added* the third-party certificate under the remote desktop folder step of your instructions [deleting the self-signed in this case - although I'm not certain that was necessary].

Also - under the admin tools part of your instructions (was terminal services -> terminal services configuration for SBS2008) I clicked "select" instead of default to pick the "paid-for" certificate.

I just wanted to say thank you very much for your post - you have helped make the internet a better place [in my opinion] :)

Neil Deadman said...


I was having the same issue. When I deleted the outdated certificate, connections work, but the user gets a warning about certificate errors.

This is when I found your post, but following the steps, didn't resolve the issue. No new cert is created so I still see the same error when RDPing to the server.

Any suggestions??

Thanks, Neil

Rivald said...

That's very odd. After you deleted the old certificate - which certificate do users see? The same expired certificate?

Mike said...

If you are also annoyed form Computer Security Certificate Error and looking for solution then Click Here