Colourful Norwich skyline illustration

Michael Sage

IT, Digital & Culture

Configure Windows Remote Desktop to use TLS with StartSSL

**Firstly it is important to note that StartSSL don’t currently have a trusted root CA.**

Firstly you will need to create you CSR. I do this from a Linux box as openssl is much easier from the command line. You can generate the CSR online or using various Windows tools.

Go to you Linux terminal and type the following

openssl req -out rdp.csr -new  -newkey rsa:4096 -nodes -keyout rdp.key

Open the CSR (nano rdp.csr) and copy the contents into the StartSSL certificate wizard.

You will now need to wait for StartSSL to generate your certificate, in my experience this is currently taking upto 24 hours, it used to be nearly instant.

Open the .crt file and save it on your Linux box as rdp.crt. You will also need to grab the StartSSL Intermediate cert from their site.

You now need to combine the two files. I tend to do this in nano or notepad++ depending on which environment I am working in.

Paste the contents of rdp.crt and this have a line break and paste the intermediate cert underneath it. Save this file, I normally save mine as rdp.pem.

Next we need to take this new file and turn it into a pfx file that Windows will understand. Simple go back to your Linux terminal with the new file and type the following

openssl pkcs12 -export -out rdp.pfx -inkey rdp.key -in rdp.pem

Now go to the windows machine you wish to use the certificate on making sure you have a copy of the rdp.pfx file!

You now need to open the certificate snap-in, the easiest way to do this is.

Start-> Run -> mmc add snapin certificates (Local Computer), select personal certificates and right click, choose All Tasks -> Import. Select the pfx file.

Copy the new cert (probably called and place a copy in Remote Desktops -> Certificates.

Double click the certificate and copy the Thumbprint (this is found at the bottom of the details list). You need to paste this Thumbprint into a new file and remove the spaces so you are left with a 40 digit string.

Open a command prompt as an administrator and type / paste the following:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”


That’s it you have successfully installed a StartSSL Cert onto your Windows RDP server!