Tested on Windows 10 Professional and Windows 2008 R2. These configurations also should work on newer verions of Windows server operating systems. These steps must be performed manually.
A: This section describes the use of free "Let's Encrypt" certificates generated by the TSplus SSL tool. If you have your own signed SSL certificate then skip this section and continue to section B.
1. In the AdminTool, go to Security > SSL Certificate Toolkit
2. File > Open Keystore File > ***Remote Access_installation_folder***\Clients\webserver\cert.jks (default password: secret)
3. Right click on Private Key(jwts) > Export > Private Key and Certificates > PKCS#12 > OK (default password: secret, the next password fields should be empty)
4. Save your *.p12 certificate file somewhere on Desktop for fast access.
5. Continue to section B:
B:
1. Start mmc.exe, then click File > Add/Remove Snap-In > Certificates > Add > Computer Account > (default!) Local Computer *** > Finish > OK
2. Console Root > Certificates (Local Computer) > Personal >> Right click > All Tasks > Import > Next > Browse >
> (choose extension "Personal Information Exchange") *.p12 YOUR CERTIFICATE FILE > Next > (your password, empty or you should remember it) >> (Allow "Mark this key as exportable" and "Include All Extended Properties") > Next
> (Automatically select the certificate based on the type of certificate) Next > Finish (press F5 to refresh if key did not yet appear under Personal\Certificates)
2.1 Right click on that new key entry > All Tasks > Manage Private Keys >Add "NETWORK SERVICE" with allowed "READ" rights. This step is not always necessary. Some systems this entry gets added automatically but if not add it manually.
3. Double click on freshly imported private key/certificate for your domain (usually it has the name of your signed domain under "Issued to")
4. Click on Details >> scroll down > Thumbprint > [example]: ab 42 96 33 fb 19 28 65 30 a7 e1 63 2d 3f d2 96 70 1c 50 67> NOTICE IT SOMEWHERE
5. Open Notepad and create a new file and save it as "myreg.reg". and save there following text according to "Thumbprint" example above (remember the SSLCertificateSHA1Hash"=hex:ab,42,96,33***" is example, replace it by own values!!! Same in attached example_myreg.reg)
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"SSLCertificateSHA1Hash"=hex:ab,42,96,33,fb,19,28,65,30,a7,e1,63,2d,3f,d2,96,70,1c,50,67
6. Now execute that "myreg.reg" file and add so this information to registry, if you don't do this step then next step 8. will fail with.
7. start cmd.exe with Administrator rights!
8. execute:
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ab429633fb19286530a7e1632d3fd296701c5067"
(after completion it should report > Property(s) update successful
(remember the SSLCertificateSHA1Hash="ab429633***" is an example, replace it with you own values!!!)
Congratulation, now whenever you call mstsc.exe > your_domain.com then the new signed certificate will be served to client by the Remote A server.