Tag Archives: windows

Common Problems installing a Custom Certificate for RDP

There are a quite a few good guides for configuring your own CA signed certificate for RDP; however, details it’s easy to gloss over and most of the troubleshooting is buried in the comments:

  • Create an RDP certificate with an RSA key. The signing key of the CA does not matter.
  • Create an RDP certificate with the TLS (web) Server EKU, not the Remote Desktop EKU.
  • Add the certificate to the Personal certificate store, not the Remote Desktop certificate store.

Example errors:

Error log when using an RDP certificate with an ECDSA key.

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.
Schannel with an ECDSA certificate

Windows 10 and Remote Desktop 10 on macOS report an Unknown/Invalid EKU.

Unknown Key Usage
Unknown Key Usage on Windows 10

Set-WmiInstance error trying to use a certificate in the Remote Desktop certificate store.

Set-WmiInstance : Invalid parameter

WMIC error trying to use a certificate in the Remote Desktop certificate store.

wmic error: Description = Invalid namespace

Creating a UDF TrueCrypt Volume

I had an old hard drive I wanted to use as a secure, cross platform file transfer device, so I thought of TrueCrypt and UDF. Unfortunately, TrueCrypt for MacOS only supports formatting drives as Mac OS Extended and TrueCrypt for Windows only supports NTFS and FAT32. I ended up using TrueCrypt for Mac OS and the Mac’s command line formatting utility.

  1. Login as an Administrator
  2. Connect the drive you want to protect with TrueCrypt
  3. Open TrueCrypt and create a TrueCrypt Volume like normal, but select "None" when asked to select a filesystem
  4. Wait for the encryption to complete
  5. From TrueCrypt, click the "Select File…" or "Select Device…" to select your newly encrypted volume and click "Mount"
  6. Enter the password and any other authentication credentials required for the Volume. Check "Do not mount" before clicking "OK"TrueCrypt-Mount
  7. Back in the main TrueCrypt window, select the Volume and click "Volume Properties…"
  8. Record the Virtual Device value. In this case "/dev/disk3"TrueCrypt-Properties
  9. Open a Terminal window
  10. Run sudo newfs_udf /dev/disk3 to format the TrueCrypt volume with the UDF filesystem
  11. From now on, the UDF filesystem will automatically be mounted when mounting the TrueCrypt volume on Window or Mac OS

Chrome for Windows CLI Options

If you thought there were a lot of options in chrome://flags, there a ton options available as command line switches. See http://peter.sh/experiments/chromium-command-line-switches/ for a list of the available switches.

If you’re using Google Chrome on Windows, it is pretty easy to launch Chrome with these command line options. This assume you are launching Chrome from your start menu, an icon pinned to your taskbar, or a shortcut you created somewhere else. Note: You must do this for each shortcut you use to launch Chrome.


  1. (taskbar only) Right-click on the Chrome icon
  2. Right-click on your shortcut, in this case "Google Chrome"
  3. Click on "Properties"
  4. In the "Target" field, move the cursor all the way to the right (past chrome.exe) and add the switches you want to use.

    For example, adding --ssl-version-min=tls1 disables SSLv3.0:ChromeWinCmdOpt

Disabling Windows 7 Automatic Root CA Update

Windows comes with a small list of trusted CAs installed but automatically imports CAs as necessary from the Microsoft Windows Update service (Windows 7 Home Premium SP1 64bit for a while, I figure I’d imported all of the CAs I really need I figured I could mitigate the risk of forged certificates (e.g. Iraq/Gmail, Diginotar) by ensuring I don’t import any additional CAs. Sure the CAs I already trust could be compromised, but this significantly reduces the attack surface.

For Windows 7 Processional and Ultimate, Microsoft provides instructions for disabling Automatic Root Certificates Update using the Group Policy Editor; however, the Group Policy Editor cannot be installed on Windows 7 Starter and Home editions. If you have Windows 7 Starter or Home, or don’t want to deal with the Group Policy Editor, a simple registry update will turn Automatic Root Certificates Update off or on.

Note: You must be an Administrator to make any of these changes, and if you have a Group Policy set for Automatic Root Certificates Update, it will overwrite your registry changes.

I’ve created three .reg files you can download, and open to automatically update the correct registry keys:

  • Disable.reg (view) – this disables Automatic Root Certificates Update.
  • Enable.reg (view) – this disables Automatic Root Certificates Update.
  • Remove.reg (view) – this removes the registry entry effectively enabling Automatic Root Certificates Update.

Note: You will most likely receive security warnings downloading and opening these files. If you want to be safe, open the files in a text editor and double check the contents.

If you would rather directly edit your registry, do the following:

  1. Start regedit by clicking the Start menu, entering “regedit” in the search field, and pressing <enter>.
  2. Expand HKEY_LOCAL_MACHINE/Software/Policies/Microsoft/SystemCertificates/AuthRoot
  3. Right-click on AuthRoot and select New -> DWORD (32-bit) Value
  4. Enter name: DisableRootAutoUpdate
  5. Double-click on DisableRootAutoUpdate
  6. Set the Value data to 1, click OK, and close regedit.

Deleting DisableRootAutoUpdate or setting it to 0, re-enables downloading new CAs from Microsoft.