How can I sign my .rdp files?

Thinstuff Support
2023-06-28 16:26

General Description

You can use a digital signature to sign .rdp files. By signing .rdp files with trusted certificates, your clients can verify that important settings such as which server to connect to haven’t changed since the creation of the .rdp file.

This enables clients to recognize your organization as the source of the remote app or the remote desktop connection and allows them to make a better decision whether to start the connection.

Following error will be displayed if someone opens a manually edited .rdp file, which was signed.

So what do you have to do to sign a .rdp file? Either you follow the steps below or you use RD WebAccess from our partner company (recommended), which allows you to distribute signed .rdp files quite easily.

First: Create your .rdp file

Second: Get your certificate's thumbprint

Third: Sign your .rdp file by using rdpsign.exe

Create a .rdp file

A .rdp file is a basically a simple file ( filled with parameters) that defines the connection settings for a Remote Desktop or RemoteApp session. You can easily edit, copy and distribute it.

Basically you can create a .rdp by using the notepad and add the standard parameters. However, for this you'll have to know all the parameters. 

The simplest way to do this is to  use Microsoft's Remote Desktop Client (mstsc.exe).

Or you can use the recommended free RDP Client from Thincast Technologies called TC Client.
This RDP client offer comfortable user interface to preconfigure RDP file for remote desktop as well as remoteapp connections.

Microsoft's Remote Desktop Client offers no possibility to configure or activate RemoteApp connections.

So let's assume that you have configured and backed up the RDP file.

Get your certificate's thumbprint

The next step is to import your certificate and get your certificate's thumbprint. This step requires a valid .pfx certificate (either self-signed or CA-signed) and the export password from the .pfx file.

Manage Certificates with the Management Console

  1. Open your Management Console ( Start -> Run - >type in "mmc.exe")
  2. Goto File -> "Add/Remove Snap-in" in or use the shortcut Ctrl+M
  3. Now select "Certificates" and click on "Add"
  4. Choose "My user account" to manage your personal certificates. After that click on "finish"
  5. Now apply with "Ok"

Import your Certificate

  1. Goto Action - > All Tasks -> Import
  2. The 'Certificate Import Wizard' window appears and click on 'Next'
  3. Now click on 'Browse' and choose 'Personal Information Exchange .pfx, .p12' as file type.
  4. Select your certificate and click on 'Open'
  5. Click on 'Next'
  6. Type in the export password which you've entered by creating the .pfx file and click on 'Next
  7. Select 'Personal' as certificate store and click on 'Next'
  8. Click on 'Finsih' to complete the import process.

Get your certificate's thumbprint

  1. To get the certificate's thumbprint please do the following:
  2. Navigate to 'Certificates - Current User' -> Personal -> Certificates and double-click your recently imported certificate 
  3. Switch to the 'Details' tab and locate the field 'Thumbprint'
  4. Now select the thumbprint, copy it and paste it in your notepad.exe
  5. To use the rdpsign.exe you've the remove all blank spaces from your thumbprint. Goto File -> Replace (Ctrl +H) in the notepad and enter a blank space in the 'Find what:' field and click on 'Replace All'
  6. Mark your thumbprint and copy it

More informations about certifiactes/cryptography can be found at wikipedia.com:

Public key cryptography

Public key certificate

We used e.g 'openssl' to create the .cert/.pfx certificate -  www.openssl.org

Sign your .rdp file

After you've created your .rdp file and copied the certificate's thumbprint(without blank spaces) you can sign your .rdp file.

Now open a command promt as Administrator and use the following command:

rdpsign [options] [items to sign]

  • As option use /sha1 and then paste your thumbprint(without blank spaces). Now remove the first character, which is a '?'
  • Enter the path of your .rdp file instead of [items to sign]

e.g

C:\Windows\system32>rdpsign /sha1 f9f89d00ec0ra2d5da259h7990144df53b413efb c:\Se
rver01.rdp

After you've exectuted your command following will be displayed:

All rdp file(s) have been succesfully signed.

If you open now your .rdp file a trust dialogue will be displayed:

Tags: cert, cryptography, dialogue, digital signature, hash, import create certificates, openssl, pfx, public key, rdpsign, remoteapp, security, sha1, thumbprint, trust