Last active
May 19, 2025 04:18
-
-
Save allex/680e38b1236fd286868e9c29723054d2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Usage: | |
| # This script sets up SSL certificates for Windows Remote Desktop Protocol (RDP). | |
| # | |
| # Prerequisites: | |
| # - Must be run on Windows with Cygwin, Git Bash, or similar | |
| # - OpenSSL must be installed | |
| # - Administrator privileges required | |
| # | |
| # Required files: | |
| # - tls.crt: Your SSL certificate file | |
| # - tls.key: Your SSL private key file | |
| # | |
| # The script will: | |
| # 1. Combine the certificate and key into a PFX file | |
| # 2. Import the certificate into Windows certificate store | |
| # 3. Configure RDP to use the imported certificate | |
| # | |
| # Usage: | |
| # ./setup-rdp-cert.sh | |
| # | |
| # Note: Make sure tls.crt and tls.key are in the same directory as the script | |
| # | |
| # by @allex_wang | |
| # GistID: 680e38b1236fd286868e9c29723054d2 | |
| # GistURL: https://gist.github.com/680e38b1236fd286868e9c29723054d2 | |
| set -ue | |
| # Check if running on Windows | |
| if [[ "$(uname -s)" != *CYGWIN* ]] && [[ "$(uname -s)" != *MINGW* ]] && [[ "$(uname -s)" != *MSYS* ]]; then | |
| echo "This script is intended to be run on Windows with Cygwin, Git Bash, or similar." | |
| exit 1 | |
| fi | |
| # Define paths to your certificate and key files | |
| CERT_FILE="./tls.crt" | |
| KEY_FILE="./tls.key" | |
| PFX_FILE="./tls.pfx" | |
| PASSWORD="" | |
| # Ensure the paths are correct and files exist | |
| if [[ ! -f "$CERT_FILE" || ! -f "$KEY_FILE" ]]; then | |
| echo "Certificate or key file not found." | |
| exit 1 | |
| fi | |
| # Step 1: Combine certificate and key into a single PFX file | |
| openssl pkcs12 -export -out "$PFX_FILE" -inkey "$KEY_FILE" -in "$CERT_FILE" -password "pass:$PASSWORD" | |
| if [ $? -ne 0 ]; then | |
| echo "Failed to create PFX file." | |
| exit 1 | |
| fi | |
| # Step 2: Import PFX file into the Windows certificate store | |
| # [certlm.msc] for certs manage | |
| echo | certutil -f -importPFX My "$PFX_FILE" NoProtect | |
| if [ $? -ne 0 ]; then | |
| echo "Failed to import certificate into Windows store." | |
| exit 1 | |
| fi | |
| # Step 3: Configure the Remote Desktop to use the imported certificate | |
| # Extract thumbprint | |
| THUMBPRINT="$(openssl x509 -in "${CERT_FILE}" -noout -fingerprint | sed -e 's/SHA1 Fingerprint=//g' | sed -e 's/://g' | tr '[:upper:]' '[:lower:]')" | |
| if [ -z "$THUMBPRINT" ]; then | |
| echo "Failed to extract certificate thumbprint." | |
| exit 1 | |
| fi | |
| # Set the thumbprint in the registry to be used by RDP | |
| # reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -v SSLCertificateSHA1Hash -t REG_BINARY -d $THUMBPRINT -f | |
| # $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path | |
| # Set-WmiInstance -Path $path -argument @{ SSLCertificateSHA1Hash="<THUMBPRINT>" } | |
| wmic /namespace:\\\\root\\cimv2\\terminalservices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="$THUMBPRINT" | |
| if [ $? -ne 0 ]; then | |
| echo "Failed to set RDP certificate." | |
| exit 1 | |
| fi | |
| echo "Certificate is set up successfully for RDP." | |
| echo | |
| echo "Please restart the Terminal Services for changes to take effect by running powershell commands:" | |
| echo "Restart-Service -Name SessionEnv" | |
| echo "Restart-Service -Name TermService -Force" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment