Michael Leone on 25 Oct 2013 08:05:00 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fwd: Openssl config question

On Fri, Oct 25, 2013 at 1:38 AM, brent timothy saner
<brent.saner@gmail.com> wrote:
> Hash: SHA1
> On 10/24/2013 09:53 PM, Michael Leone wrote:
> OH. also, be sure to check the man page, of course. the
> encoding/cipher commands especially might be useful; i have a hunch
> (which can, of course, be absolutely wrong) that it's something in how
> the cert is being generated rather than it being a Windows Thing(TM)
> ...as much as i wish i could say otherwise. ;)

I'm pretty much certain it is an openssl config mis-step on my part.
Here's why: there is such a  thing as a Remote Desktop Gateway ("A
Remote Desktop Gateway (RD Gateway) server is a type of gateway that
enables authorized users to connect to remote computers on a corporate
network from any computer with an Internet connection."). It's another
component of RDS. Well, this site:

RDS: The RD Gateway server must be configured to use a valid SSL certificate

talks about the RD Gateway server having the exact error message that
I am having, when trying to import a certificate for an RD Gateway.
And in my configuration, since all my users are local, the RD Gateway
server is the same server that is the session host.

Certificates for RD Gateway must meet these requirements:

The intended purpose of the certificate is server authentication. The
Extended Key Usage (EKU) is Server Authentication (

And my current cert say:

$sudo openssl x509 -text -in --certificate--            ## as per:

Mine does not show anything like this:

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                Exponent: 65537 (0x10001)
      X509v3 extensions:
            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.
                  CPS: https://www.verisign.com/rpa

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            Authority Information Access:
                OCSP - URI:http://ocsp.verisign.com
    Signature Algorithm: sha1WithRSAEncryption

My cert looks different:

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                         <snip >
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption

I have no "Extended Key Usage"  section showing in my cert. And the MS
page says I need that (well, I am inferring that I need it, anyway).

So I am guessing I need to put this in my config, to be sure and add
this property to the cert:


Just not sure where in my openssl config I need to put this
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug