0

When I connect to a Amazon instance running Windows Server 2003 R2, mstsc says, that it can't verify remote server's identity. Like on this image:

But in my case the certificate name is: i-0e427eaa3f0b7ca11. The issue is not with Amazon infrastructure, isn't it?

My conjecture is that each Amazon instance gets created from some prearranged image. And that's the reason why I've got to reissue the certificate. I've found instructions on how I do that. But they go basically like this: delete some files, reboot, profit. Is that how one generally reissues a certificate? Would this even solve my problem?

UPD I've discovered the certificate (and a lot of other certificates with similar names) in MMC > Certificates (Local Computer) > Personal > Certificates. On the other non-Amazon server I see no certificates in this folder. The certificate has full computer name as a friendly name (but not as a subject). And it's not really clear, what makes the server choose this particular certificate. I suppose I can't delete it. It's probably used for some technical reasons by Amazon.

Generally, the question is, what's going on? How the certificate is chosen? How can I influence it? Who does that? When no certificates in Personal folder, non-TLS connection is established?

x-yuri
  • 2,141
  • 2
  • 24
  • 29

1 Answers1

1

You have two problems.

  1. The server name doesn't match the name on the certificate.
  2. The certificate is not trusted.

To solve this

  1. You don't have to match the host name of the server, the certificate has to match the DNS name the client is using. If the DNS name changes, get something like DynDNS or a name in your own domain that you can update to the correct IP address. That way the name you use stays the same and you know what name to put into the certificate.

  2. Get your client to trust the certificate. Either create a self signed certificate and make the client trust it, or get a certificate from letsencrypt or another CA that is already trusted. Or set up your own CA, but that's probably not worth the effort for one server.

Start mmc and add the Remote Desktop Configuration Manager MMC snap-in to select the certificate.

RalfFriedl
  • 3,108
  • 4
  • 13
  • 17
  • I've updated the question. As far as I remember I connected using IP address, and it still complained about invalid certificate. I can probably add to the store a certificate I've issued, but that doesn't mean it would be used for verifying identity. Since it's not really clear why this one is used. There are a lot of other certificates in the same folder. And who chooses the certificate. So the question is basically, how the certificate is chosen. And how I can influence this. Briefly, what's going on? What are all this certificates for? – x-yuri Aug 02 '18 at 19:22
  • ...On the other non-Amazon server I see no certificates that could be used for verifying identity. Does that mean no certificate is used when connecting to that other server? – x-yuri Aug 02 '18 at 19:25
  • Your picture shows Requested Computer Name to be "*.com". An IP address is also different from the name "*.local" on the certificate. Use mmc to select the certificate (see edit). – RalfFriedl Aug 02 '18 at 19:50
  • That's the picture from the internet. I have non-English edition of Windows there. The only two differences are requested remote computer, and name in the certificate. Let me quote myself, "But in my case the certificate name is: i-0e427eaa3f0b7ca11." Not something.local. Sorry if I wasn't clear enough. – x-yuri Aug 02 '18 at 19:58
  • It doesn't matter, i-0e427eaa3f0b7ca11 is not the name you use to connect to the RDP server. More important is whether you get both the errors in the picture. – RalfFriedl Aug 02 '18 at 20:14
  • I get both. In my case it's Terminal Services Configuration Snap-in. There I can open Connections > RDP-Tcp > Properties. And choose another certificate. The settles it. Thanks a lot. – x-yuri Aug 02 '18 at 20:28