Automatic RDP Certificate on Windows 10 Pro With LetsEncrypt

I’m sick of the “this doesn’t have a certificate” warnings. I:

  • have a Windows 10 Pro machine
  • want to use a LetsEncrypt certificate for RDP connections.
  • don’t have an AD/IPA/whatever domain to join
  • have the machine’s hostname in Cloudflare DNS

In this example I’ll use as the hostname I’ll connect to, change this for your own hostname.

  1. Install CertifyTheWeb.
  2. Copy this powershell script to somewhere you won’t delete it (eg. c:\scripts\update_rdp_certificate.ps1):
# this grabs the certificate thumbprint and tells RDP to use it
$THUMBPRINT = (ls Cert:\LocalMachine\my | WHERE {$_.Subject -match $HOSTNAME } | Select -First 1).Thumbprint

if (!$THUMBPRINT) { 
    write-host "Failed to find certificate thumbprint for ${HOSTNAME}, quitting."
} else {
    write-host "Found certificate thumbprint for ${HOSTNAME}: ${THUMBPRINT}"
    write-host "Configuring RDP"
    & wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="$THUMBPRINT" 
    write-host `Done!`
  1. Open CertifyTheWeb.
  2. Register a contact for LetsEncrypt with some contact details under both the normal and test modes. Test mode is enabled by clicking on the advanced tab and ticking the Use staging Mode (Test Certificates) box.
  3. Click New Certificate.
  4. Select Certificate on the right if it’s not already selected.
  5. In the Domains tab , enter the full hostname you’ll use to connect to the machine. ie. Remember to click the green + next to the domain name to add it to the list. New RDP Certificate tab
  6. On the Advanced tab, set the Certificate Authority to LetsEncrypt. Until you’re sure everything works, tick the Use staging Mode (Test Certificates) box.
  7. Click on Authorisation on the right.
  8. Change the Challenge Type to dns-01 and the DNS Update Method to Cloudflare DNS API.
  9. Add the a new Credential Cloudflare API token.
    • You’ll need to give it permission to edit the DNS zone you want to issue certificates for.
  10. Select the Zone you want to issue the certificate under by clicking the ... next to DNS Zone ID and selecting the zone name.
  11. Click Deployment on the right.
  12. Set the Deployment Mode to Certificate Store Only since we won’t be assigning this to any IIS Websites.
  13. Click Tasks on the right and add a Deployment Task of Run PowerShell Script.
  14. On the Task Parameters tab, set the Program/Script to the path of your script (eg. c:\scripts\update_rdp_certificate.ps1).
  15. Click Preview on the right and check everything seems OK. Preview your changes
  16. Click Test to make sure things work the way they should.
  17. Click Request certificate and see how it works!

Remember to set the authority back to the production one and re-issue when you’re done. :)


#letsencrypt #windows #powershell #RDP #automation #security