After configuring Safeguard for PSM, the following certificate message is requested when you open an RDP session via Safeguard.
'Certificate or associated chain is invalid (Code: 0x10000)'
This warning is due to the fact that a trusted RDP Signing Certificate was not uploaded to Safeguard or that the customer's computer did not trust the certificate chain.
To remove this warning, replace the default RDP Signing certificate with a trusted certificate.
This solution will use OpenSSL to create a minimum CA and an intermediate CA to resolve the certificate warning.
Create CA
1. Generate Key for CA
openssl genrsa -out ca.key 2048
2. Generate CA Certificate
openssl req -new -x509 -key ca.key -out ca.crt
3. Verify Certificate is CA
openssl x509 -noout -text < ca.crt
Look for the following in output: 'X509v3 Basic Constraints: CA: TRUE'
Create Certificate Signing Request
- Open Safeguard and navigate to Admin Tools | Settings | Certificates | Sessions Certificates
- Select 'Create Certificate Signing Request' under RDP Connection Signing Certificate.
- Sign CSR using CA to create a new RDP Signing Certificate as Intermediate CA
openssl ca -in safeguardCSR.csr -out safeguardRdpSigningCert.crt -keyfile ca.key -cert ca.crt -config ~/openssl2.cnf -extensions v3_ca
- Edit the new Certificate and if metadata is present, remove all metadata preceding the --BEGIN CERTIFICATE-- line.
Configure Safeguard
- Add intermediate certificate as RDP Connection Signing Certificate using ‘Install Certificates
Configure Client
- Add CA to System (not user) Trusted Root Certification Authorities Certificate Store.
- Add Intermediate CA (the RDP Signing Certificate) to System (not user) Intermediate Certification Authorities Certificate Store.
Additional Info:
The Safeguard RDP Connection Signing Certificate is used to create "on-the-fly" certificates which are used to protect RDP sessions. This ensures that each RDP session is secured by a unique certificate.