PowerShell

Batch rdp sign

#Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

#Set-ExecutionPolicy -ExecutionPolicy Restricted

$cert_cn = "rdg.company.test";

$dir = "C:\Users\puser\Documents\rdpsign\files";

$dir_signed = "C:\Users\puser\Documents\rdpsign\files\signed";

# Get thumbprint for certificate

$thumbprint = (

Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {

$_.Subject -match $cert_cn;

}

).Thumbprint;

if (!$thumbprint) {

Write-Host "Certificate '${cert_cn}' not found - exit.";

return;

}

Write-Host "Thumbprint for certificate '${cert_cn}': ${thumbprint}";

$files = [System.IO.Directory]::GetFiles($dir, "*.rdp");

if (!$files) {

Write-Host "No files to sign in '${dir}' directory - exit.";

return;

}

Write-Host "Files count to sign:" $files.Count;

# Delete and copy files to "signed" folder

Remove-Item $dir_signed\"*.*"

Copy-Item -Path $dir"\*.rdp" -Destination $dir_signed;

$files = [System.IO.Directory]::GetFiles($dir_signed, "*.rdp");

foreach ($f in $files) {

Write-Host "Sign file" $f;

rdpsign /sha256 $thumbprint $f;

}

Posh-ACME - Lets Encrypt SSL Certificates

https://github.com/rmbolger/Posh-ACME/blob/main/Tutorial.md

# Install for current user

Install-Module -Name Posh-ACME -Scope CurrentUser

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

Import-Module Posh-ACME

New-PACertificate *.example.com -AcceptTOS -Contact 'admin@example.com'

# The default PFX-password is “poshacme”

Get-PACertificate | fl

# Renew all orders on the current account

Submit-Renewal -AllOrders

# Renew all orders across all accounts in the current profile

Submit-Renewal -AllAccounts

Установка сертификата на RDS

К имени сервера добавить DNS суффикс. Полное имя сервера должно соответствовать имени в сертификате.

Конвертация сертификата сервера в pfx

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

Установить pfx в Personal хранилище локального компьютера, не пользователя.

Просмотр сертификатов в хранилище Personal локального компьютера:

Get-ChildItem "Cert:\LocalMachine\My"

Переменная для пути к RD Session Host RDP listener

$PATH = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices)

Установка сертификата, отпечаток см. выше

Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash="thumbprint"}