Using SSL Certificates with Remote Desktop

远程桌面默认的证书是自签的，会报证书错误，为了安全起见使用CA签的证书。
去腾讯云TrustAsia弄个一年的免费证书，然后下载。因为windows不能识别这玩意，需要先转换成p12格式。
openssl是git自带的

openssl pkcs12 -export -clcerts -in [xxx.pem] -inkey [xxx.key] -out [xxx.p12]

把.p12文件拷到服务器，然后导入，并记下证书指纹。

还需要将导入后的密钥设置权限，添加NETWORK SERVICE用户的Read（读）权限。

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<指纹>" 。

重启远程桌面服务，当你重新连接的时候你就会在上面的连接栏看到一把锁的图案，并且没有证书错误提示了。

net stop termservice && net start termservice

The default certificate for Remote Desktop is self-signed, which results in certificate errors. For security reasons, it is advisable to use a CA-signed certificate.
Go to Tencent Cloud TrustAsia to obtain a free one-year certificate and download it. Since Windows cannot recognize this format, you need to convert it to the p12 format first.
openssl comes bundled with git

openssl pkcs12 -export -clcerts -in [xxx.pem] -inkey [xxx.key] -out [xxx.p12]

Copy the .p12 file to the server, import it, and take note of the certificate thumbprint.

You also need to set permissions for the imported private key by adding Read permission for the NETWORK SERVICE user.

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<thumbprint>" .

Restart the Remote Desktop service. When you reconnect, you will see a lock icon in the connection bar and no certificate error prompts.

net stop termservice && net start termservice