There are self-signed certificate on DC

Mohd Arif 926 Reputation points
2022-05-10T04:43:33.747+00:00

We are using Tenable for vulnerability testing. It is reporting a self-signed certificates on all the domain controllers. So I had deleted the self-signed certificate from the "Remote Desktop" certificates store but now they are re-appearing automatically. So please how could I remove self-signed cert from DC?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,569 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,183 questions
Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Gary Reynolds 9,406 Reputation points
    2022-05-12T04:36:02.277+00:00

    Hi @Mohd Arif

    Ok you want to use a certificate issued by your local PKI rather than the self-signed certificate which is generated by the server.

    You will need to create a new certificate template that includes the RDP authentication OID and then request a certificate based on that template. The details are in the article below.

    https://aventistech.com/2019/08/08/replace-rdp-default-self-sign-certificate/

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Gary Reynolds 9,406 Reputation points
    2022-05-10T11:11:21.753+00:00

    Hi @Mohd Arif

    The certificate will be in either the personal certificate store of the computer or in the active directory service store.

    Gary.

    0 comments No comments

  2. Limitless Technology 39,506 Reputation points
    2022-05-11T07:42:18.073+00:00

    Hi MohdArif-3014,

    Please try the following procedure:

    Start the Microsoft Management Console at the Metasys server or SCT computer by typing mmc in the Search bar and pressing Enter. The Microsoft Management Console screen appears.

    Click > File > Add/Remove Snap-ins. The Add or Remove Snap-ins screen appears.

    Under the Available snap-ins list, select Certificates and click Add. The Certificate Snap-in screen appears.

    Select Computer account and click Next. The Select Computer screen appears.

    Click Local computer and click Finish. The Add or Remove Snap-ins screen appears indicating the Certificates.

    In the Add or Remove Snap-ins window, click Add again. The Certificate Snap-in screen appears again. This time, click My user account > Next > Finish. The Add or Remove Snap-ins screen appears showing the two snap-ins you just added.

    Click OK. The Microsoft Management Console window appears with the Certificates snap-in.

    Expand Trusted Root Certification Authorities. Look for a certificate that matches the old name of the computer. Several identical certificates may be listed. In this example, three certificates for the computer called ADS-WIN10 are listed.

    Select trusted certificates with the old computer name and click the Delete button or select Action > Delete. The trusted certificates are removed. The next step is to remove personal certificates.

    Expand Personal. Look for a certificate that matches the old name of the computer. Several identical certificates may be listed.

    Select personal certificates with the old computer name and click the Delete button or select Action > Delete.

    Close the Microsoft Management Console, optionally saving the Console settings.


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  3. Mohd Arif 926 Reputation points
    2022-05-12T04:13:18.83+00:00

    Maybe I could not express my requirement properly here. What I want to say is that the self-signed certificate is in the "Remote Desktop" store. I had deleted the self-signed certificate and copied the cert issued by our internal PKI but again self-signed once re-appeared.
    201209-image.png

    0 comments No comments