Skip to content

Certificates

Import certificate into personal machine store (noroot - don't import into trusted root)

certutil –f –p certificatepassword –importpfx "\\dc.company.com\sysvol\DEV.company.com\Policies\{GUID}\Machine\Scripts\Startup\wildcard_company_net_sha-2.pfx" NoRoot

Import company Root CA certificate to Active Directory

Domain-Joined machines will automatically have most likely have a copy of your Root Certificate Authority’s self-signed certificate.

If your Root Certificate Authority is an Enterprise Root CA, it automatically publishes its certificate to Active Directory. When domain joined machines sign into AD, they will install these certificates.

For Standalone Root CA’s, you have probably used Group Policy to publish your Root/Intermediate certificates or used certutil -dspublish.

certutil -f -dspublich "c:\certs\rootca.crl" RootCA
certutil -f -dspublish "c:\serts\rootca.crt" RootCA

Create self-signed wildcard certificate

makecert -r -pe -e 01/12/2026 -eku 1.3.6.1.5.5.7.3.1 -sr LocalMachine -ss Root -n CN="*.company.net" -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a sha512 -len 2048 

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *.company.com

Certificate private key storage

Windows store private key in folder "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"

Remote Desktop certificate keys name f686aace6942fb7f7ceb231212eef4a4_XXX

Check rights icacls

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8aca35f8-0cda-43d3-a387-4fa4bc8b514c

  • Take ownership (if Access rights is denied on previous command)
takeown /F C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8aca35f8-0cda-43d3-a387-4fa4bc8b514c
  • Grant access rights to private key
icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8aca35f8-0cda-43d3-a387-4fa4bc8b514c /grant "NT AUTHORITY\NETWORK SERVICE":(R)
icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8aca35f8-0cda-43d3-a387-4fa4bc8b514c /grant "NT AUTHORITY\SYSTEM":(F)
icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8aca35f8-0cda-43d3-a387-4fa4bc8b514c /grant "BUILTIN\Administrators":(R)
  • Could also grant folder rights (optionally)
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /grant "Everyone":(R,W)
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /grant "Administrators":F /t
  • Remote Desktop certificate thumbprint is set in registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\SelfSignedCertificate