[How-to] Install custom certificate on RDSH Server

So, the release of Windows Server 2012 has removed a lot of the old Remote Desktop related configuration utilities. There is no more Remote Desktop Session Host Configuration utility that gave you access to the RDP-Tcp properties dialog that let you configure a custom certificate for the RDSH to use. In its place is a nice new consolidated GUI that is part of the overall “edit deployment properties” workflow in the new Server Manager.

It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.

Here’s a generalized PowerShell solution that grabs and sets the thumbprint of the first SSL cert in the computer’s personal store. If your system has multiple certs, you should add a -Filter option to the gci command to make sure you reference the correct certificate.

To get the thumbprint value

  1. Open the properties dialog for your certificate and select the Details tab
  2. Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
  3. Remove all the spaces from the string. You’ll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It’s not visible in Notepad.
  4. This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here’s a one-liner you can use to set the value using wmic:


Or if PowerShell is your thing, you can use this instead:

Note: the certificate must be in the ‘Personal’ Certificate Store for the Computer account.