Get-RDPCertificate PowerShell Function
I’ve been on a PowerShell function writing kick lately. Finally have one somewhat polished. As the name implies, it gets information for the certificate being used by the RDP service.
https://github.com/ThePatrickHoban/Scripts/blob/main/PowerShell/Certificates/Get-RDPCertificate.ps1
Replace Tenable Nessus Essentials Self-Signed Certificate
After installing Tenable Nessus Essentials & browsing to the web interface, you get warning about the certificate. The message can vary depending on the name used in the browser to connect (localhost, hostname, etc.)
This is due to it using the built-in self-signed certificate that is generated when Tenable Nessus Essentials is installed.
Once logged into the web interface, there isn’t anywhere to replace the certificate being used. I found the link below on how to use a certificate from a certificate authority, but the details are…lacking.
https://docs.tenable.com/nessus/Content/CustomSSLCertificates.htm
So below is what I did to replace the self-signed certificate with one from an internal certificate authority. It’s no one-stop script or function to run but it does the trick. Form follow function people. All the code can be found on my GitHub page. Some code is based off other sources & is credited on the GitHub page.
https://github.com/ThePatrickHoban/Scripts/blob/master/PowerShell/Certificates/GenerateNessusCertificate.ps1
All the standard disclaimers apply, if you break something that’s on you. Use at your own risk.
-
- Create a DNS entry as needed for the FQDN you are going to use. In my case, I use nessus.laptoplab.net.
- Some environment specific variables you will need to change. $CN is the FQDN that will be used to access the web interface. $TemplateName is the name of the template in your CA. $Password is a temporary password used for exporting the certificates.
# Variables to update as needed [string]$CN = "nessus.laptoplab.net" [string]$TemplateName = "LabSSLWebCertificateCustom" [string]$Password = "P@ssw0rd"
- Set some more variables. These you can modify if needed.
# Other Variables [string[]]$SAN = "DNS=$CN" [string]$Date = Get-Date -Format yyyyMMddhhmmss [string]$FriendlyName = """Nessus $Date""" [int]$keyLength = 2048 [string]$NessusCAPath = "C:\ProgramData\Tenable\Nessus\nessus\CA" $SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force # CA $rootDSE = [System.DirectoryServices.DirectoryEntry]'LDAP://RootDSE' $searchBase = [System.DirectoryServices.DirectoryEntry]"LDAP://$($rootDSE.configurationNamingContext)" $CAs = [System.DirectoryServices.DirectorySearcher]::new($searchBase,'objectClass=pKIEnrollmentService').FindAll() If ($CAs.Count -eq 1){ $CAName = "$($CAs[0].Properties.dnshostname)\$($CAs[0].Properties.cn)" } Else { $CAName = "" } If (!$CAName -eq "") { $CAName = "$CAName" }
- Stop the Tenable Nessus service
Stop-Service -Name 'Tenable'
- Create a variable of the contents for the INF file to be used by certutil.
# INF Template $file = @" [NewRequest] FriendlyName = $FriendlyName Subject = "CN=$CN,c=$Country,s=$State,l=$City,o=$Organisation,ou=$Department" MachineKeySet = TRUE KeyLength = $KeyLength KeySpec=1 Exportable = TRUE RequestType = PKCS10 ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" [RequestAttributes] CertificateTemplate = "$TemplateName" "@ # SAN Certificate If (($SAN).count -eq 1) { $SAN = @($SAN -split ',') } $file += @' [Extensions] ; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7 ; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension. 2.5.29.17 = "{text}" '@ ForEach ($an in $SAN) { $file += "_continue_ = `"$($an)&`"`n" }
- Prepare a few files.
$inf = Join-Path -Path $env:TEMP -ChildPath "$CN.inf" $req = Join-Path -Path $env:TEMP -ChildPath "$CN.req" $cer = Join-Path -Path $env:TEMP -ChildPath "$CN.cer"
- Populate the INF file.
Set-Content -Path $inf -Value $file
- Create a CSR.
Invoke-Expression -Command "certreq -new `"$inf`" `"$req`""
- Get the private key info for the CSR.
# Private Key $CertificateRequest = Get-ChildItem -Path Cert:\LocalMachine\REQUEST | Where-Object {$_.Subject -like "CN=$CN*"} | sort NotBefore | Select-Object -Last 1 Export-PfxCertificate -Cert $CertificateRequest -Password $SecurePassword -FilePath "$env:TEMP\$CN.pfx" # Convert PFX to PEM Set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg Set-Location -Path 'C:\Program Files\OpenSSL-Win64\bin' Invoke-Expression -Command ".\openssl.exe pkcs12 -in $env:TEMP\$CN.pfx -nocerts -out $env:TEMP\$CN.pem -passin pass:$Password -passout pass:$Password" Invoke-Expression -Command ".\openssl.exe rsa -in $env:TEMP\$CN.pem -out $env:TEMP\$CN.key -passin pass:$Password -passout pass:$Password" 2>&1 Set-Location -Path C:\Temp
- Submit the CSR to the CA.
Invoke-Expression -Command "certreq -submit -config `"$CAName`" `"$req`" `"$cer`""
- Retrieve the certificate.
Invoke-Expression -Command "certreq -accept `"$cer`""
- Export the certificate.
# Export certificate $IssuedCertificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "CN=$CN*"} | sort NotBefore | Select-Object -Last 1 Export-Certificate -Cert $IssuedCertificate -FilePath "$env:TEMP\$CN`_Issued.cer" # Convert to Base64 certutil -encode "$env:TEMP\$CN`_Issued.cer" "$env:TEMP\$CN`_Issued_Base64.cer"
- Get the CA’s certificate. This step can vary depending on the PKI infrastructure.
# Get CA Certificate # https://www.powershellgallery.com/packages/CertificatePS/1.2/Content/Copy-CertificateToRemote.ps1 [int]$iteration = 1 $Chain.Build($IssuedCertificate) | Out-Null $ChainElements = $Chain.ChainElements | Select-Object -ExpandProperty Certificate -Skip 1 ForEach ($ChainElement in $ChainElements) { $Iteration++ $CertificatePath = Join-Path $env:TEMP "$("{0:00}" -f $Iteration).$($ChainElement.Thumbprint).cer" $ChainElement | Export-Certificate -FilePath $CertificatePath | Out-Null # Convert to Base64 $Output = certutil -encode "$CertificatePath" "$env:TEMP\$("{0:00}" -f $Iteration).$($ChainElement.Thumbprint)`_Base64.cer" }
- Copy some of the certificate files to the Nessus Tenable directory. This one can vary as well to get the CA cert copied over. But if you’re reading this, you’re probably able to deduce how to get it copied & named correctly based on this example.
# Update Nessus certificate files $Date = Get-Date -Format yyyyMMddhhmmss Rename-Item -Path $NessusCAPath\cacert.pem -NewName $NessusCAPath\cacert`_$Date.pem Copy-Item -Path $CertificatePath.Replace('.cer','_Base64.cer') -Destination $NessusCAPath\cacert.pem Rename-Item -Path $NessusCAPath\servercert.pem -NewName $NessusCAPath\servercert`_$Date.pem Copy-Item -Path $env:TEMP\$CN`_Issued_Base64.cer -Destination $NessusCAPath\servercert.pem -Force Rename-Item -Path $NessusCAPath\serverkey.pem -NewName $NessusCAPath\serverkey`_$Date.pem Copy-Item -Path $env:TEMP\$CN`.key -Destination $NessusCAPath\serverkey.pem -Force
- Start the Tenable Nessus service.
Start-Service -Name 'Tenable Nessus'
- Do a little cleanup. You can of course skip this step if you like & just move all the files generated to a secure location for backup.
$Cleanup = Get-ChildItem -Path $env:TEMP | Where-Object {$_.Name -like "$CN*"} Remove-Item -Path $Cleanup.FullNameNow the moment of truth. Browse to the FQDN you configured for the Nessus Tenable web interface. You should not get any certificate warning.
RDP Error Connecting to Server
One of our Helpdesk personnel got the following error when making an RDP connection from Windows XP SP3 to a Windows Server 2008 R2 server, “Remote Desktop cannot connect to the remote computer because the authentication certificate received from the remote computer is expired or invalid. In some cases, this error might also be caused by a large time discrepency between the client and server computers.”
Since the error suggested it I checked the date, time, & time zone on both the server & client but they are all correct. I tried to RDP to the same server & was able to log in just fine, however I was using Windows 7.
On the server if I open the certificate store in an MMC & browse to the Remote Desktop\Certificates I see that there is a self-signed certificate that expired on 5/3/2011.
If I look at the same store in other 2008 R2 & 2008 SP2 servers they all have a self-signed certificate as well but the expiration dates have not yet passed. It appears as though this certificate should be renewing itself automatically every 6 months but for some reason on this one server it is not. While I could never find any documentation on the mechanics behind this certificate auto-renewing itself the fix is pretty simple. You just need to restart the Remote Desktop Configuration service. The expired certificate will then be renewed.
You will also see an Event ID 1056 in the System log that says, “A new self signed certificate to be used for Terminal Server authentication on SSL connections was generated. The name on this certificate is servername.domain.tld. The SHA1 hash of the certificate is in the event data.”
Update: I have also found this same issue on Windows Server 2008 RTM, SP1, and SP2. The same fix applies only the service to restart is Terminal Services Configuration.