PKI - Request Internal CA certificate for Workgroup RDP Service

Manoj Prabhu 1 Reputation point
2022-09-10T12:47:35.447+00:00

We have internal CA server for issuing certificate and we are using it for domain joined servers.
I need to know what are the prerequisite to install internal CA certificate on Workgroup server for RDP.
Could I get steps to perform.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,121 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,720 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 41,916 Reputation points
    2022-09-10T13:40:13.873+00:00

    Hi,

    If the servers are not domain joined and they are part of Workgroup you need to standup CA Infrastructure and manually issue the certs for the apps and servers.

    Detailed steps in this article sg_installcertificatesinworkgroupmsandrs.htm

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. JimmySalian-2011 41,916 Reputation points
    2022-09-10T14:01:24.653+00:00

    Hi Manoj,

    For CRL you will need to provide access to the PKI servers unless you manually publish it to the servers so they can have it but will require some scripts or schedule tasks.

    Yes some sort of DNS resolution is required either host file entries or IP address unless you are okay with the security aspects.

    Hope this helps.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  3. Manoj Prabhu 1 Reputation point
    2022-09-10T14:39:34.893+00:00

    Okay .. Below is my understanding based on your comment:

    1. If we are issuing certificate to workgroup server manually importing Internal CA certificate for any service(ex:RDP) it doesn't require port communication towards CRL(distribution point) and No need to have dns resolution
    2. If we want to issue certificate to Workgroup server by autoenroll we need to have port communication allowed to PKI CRL and host record of PKI server need to be added in Workgroup server host file for resolution.

    Let me know if my understanding is correct.

    Actually, I am going to perform this on Production Workgroup server for RDP access.
    We have Self signed certificate installed for RDP as it's considered as vulnerable I m planning to install internal CA certificate for RDP service

    0 comments
  4. JimmySalian-2011 41,916 Reputation points
    2022-09-10T15:15:19.953+00:00

    Yes for both the questions Manoj, if the environment is isolated I will leave it manual enrollment but keep a reminder to renew my certificates just before the expiry.

    Goodluck and hope it helps.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
    Please don't forget to upvote and Accept as answer if the reply is helpful

    0 comments