How to Install an ACME SSL Certificate on Remote Desktop Protocol?

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...
ACME Certificate Configuration RDP

Obtaining a secure Remote Desktop Protocol (RDP) connection requires a valid SSL certificate to be able to trust your connection without receiving any security warnings.

Windows Server allows you to use a self-signed certificate by default, which will provide a trust alert when connecting, making it possible for someone to exploit your environment using a Man-In-The-Middle (MIM) attack.

Automating the issuance of SSL certificates to your RDP service(s) is possible through the use of the ACME standard and Win-ACME, as well as commercial SSL certificates through ACME certificate authorities like Sectigo or DigiCert that support External Account Binding (EAB).

This blog provides instructions on how to configure an ACME SSL certificate for your Windows Server RDP connection.

Prerequisites

Before you start, you need the following items:

Administrative Access

You need to have administrative rights on the Windows Server either through an existing RDP session or physical access.

A Public Domain Name

To obtain a valid SSL certificate for your domain (for example, rdp.yourdomain.com), the domain name must resolve to the public IP address of your server — do DNS resolution checks before you start.

Port 80 must be accessible

Port 80 (HTTP) must be accessible via the internet (which means no firewall rules blocking access from the internet) for purposes of your HTTP-01 challenge to perform ACME validation. Port 80 is only required during the time you are validating your certificate, while RDP only runs on port 3389.

ACME Credentials from Your CA

If an ACME provider is used commercially, the following information will be required:

  • ACME Directory URL
  • External Account Binding (EAB) Key ID
  • EAB HMAC Key

ACME tentative support can be enabled once these resources are provided by the Certificate Authority (CA).

Steps for ACME SSL Installation on Remote Desktop Protocol

Step 1: Download and Install Win-ACME

First, download the latest stable release of Win-ACME from its official website.

  • Download the .zip package.
  • Extract it to a permanent directory, such as:
    C:\Program Files\win-acme\
  • Open PowerShell as Administrator.
  • Run: &C:\Program Files\win-acme\wacs.exe

If the interactive menu appears, the tool is installed correctly.

Step 2: Request and Install the ACME SSL Certificate for RDP

Now you’ll generate the certificate and bind it directly to RDP.

Run the following command in PowerShell (modify with your details):

& "C:\Program Files\win-acme\wacs.exe" `
            --target manual `
            --host "rdp.yourdomain.com" `
            --validation selfhosting `
            --store certificatestore `
            --installation rdp `
            --baseuri "https://your.acme-server.com/directory" `
            --eab-key-identifier "YOUR_EAB_KID" `
            --eab-key "YOUR_EAB_HMAC_KEY" `
            --accepttos

What This Command Does:

  • Request an RDP certificate.
  • Execute a verification using HTTP-01 validation.
  • Store the RDP Certificate in the Windows Certificate Store.
  • Bind the RDP Certificate to the RDP protocol.
  • Use of your CA’s ACME directory and the ACME EAB credentials.

Make sure that port 80 is open and not blocked or in use by an application that might use it (like IIS) before continuing.

Step 3: Test the RDP Connection

Once you have installed the new certificate:

  • Launch the Remote Desktop application (mstsc.exe).
  • Insert your RDP hostname into it (i.e., rdp.yourdomain.com).
  • Connect to that host.

If everything is configured properly, you will not receive any warnings for the certificate being trusted or expired.

Step 4: Check Renewal of Certificate

By default, the win-acme tool creates a scheduled job to renew certificates before they expire.

To validate if the renewals are set up correctly, run the command below:

& "C:\Program Files\win-acme\wacs.exe" --list --baseuri "https://your.acme-server.com/directory"

Make sure that:

  • The domain that you want to install a certificate for is the correct one
  • The ACME directory URL used is also the correct one.
  • There are no errors regarding policy renewal.

Automatic renewal will ensure you have constant protection without any manual involvement.

Conclusion

No matter if you are protecting a stand-alone Windows Server or if you are managing numerous servers located remotely, CheapSSLWEB helps simplify the process of deploying trusted certificates while eliminating the hassle of manually renewing certificates.

Start today by improving the security of your Employees Performing Remote Desktop Protocols, stop showing users certificate errors, and take advantage of the automatic management of your SSL’s from CheapSSLWEB!

Secure your Site Now

Enable HTTPs on your Website by Purchasing SSL, Generate CSR and Install on your Web Server.

Starts at Just $3.99/Yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.