1

Problem Unable to RDP to server due to the certificate is revoked.

However, when checking certificate, it is not expired. (Today is Oct 5, the Cert expires in November.)

My attempts to fix Login to Godaddy, re-key the certificate, download and apply to the Server, but it is still revoked.

Please see screenshot: enter image description here

Any suggestions?

Improve this question
1
  • download and apply to the Server where, using what steps?
    – Greg Askew
    Oct 5 at 11:48

3 Answers 3

Reset to default
11

"Revoked" is different from "Expired". If the certificate has been reissued, the old one may have been revoked as part of that process; the new one will be different. If you haven't done anything that might have resulted in that certificate being invalidated, you should contact the issuer, Starfield (according to your screen shot), and find out why they revoked the certificate. Even if the revocation sprang from some action of yours, they should have some record of what that action was.

Improve this answer
7
  • as I mentioned, I downloaded the new certificate, the issue is still there
    – ppau2004
    Oct 5 at 3:57
  • 2
    you also said you logged in to GoDaddy to retrieve your certificate. Yet the certificate was not issued by GoDaddy but by Starfield. So perhaps the certificate you downloaded is not what you think it was.
    – tsc_chazz
    Oct 5 at 6:04
  • Also, do the details of the certificate you got from your CA match those displayed by RDP? It could be that you are not correctly installing the new certificate, or not the right one.
    – jcaron
    Oct 5 at 11:49
  • 1
    NB GoDaddy and Starfield are basically the same. GoDaddy will issue certs from either CA. en.wikipedia.org/wiki/Starfield_Technologies
    – Christopher Schultz
    Oct 5 at 12:36
  • We've never been offered anything from Starfield, it's always been GoDaddy for us. Fact remains that without any understanding of why the certificate was revoked, downloading a new one may not be sufficient. Time to gird up the loins and talk to Starfield support.
    – tsc_chazz
    Oct 5 at 14:39
4

Your certificate is indeed revoked.

This seems to be the certificate with serial number 7747429201611400623 (0x6b8465cfac8925af) †

If we manually query the OCSP server that claims this to be revoked, it says:

$ openssl ocsp -issuer chain.pem -cert 85de76c967801d40133c6c51b4d16f02eb1d170bea7b42a4e5e1cb7d55fd589f.pem -text -url http://ocsp.starfieldtech.com/
(...)
    This Update: Oct  5 00:32:18 2023 GMT
    Next Update: Oct  6 12:32:18 2023 GMT
    Reason: superseded
    Revocation Time: Oct  2 00:20:23 2023 GMT

Do note that the certificate you have on port 443 (Not Valid Before: 2023-10-03, Not Valid After: 2023-11-11) is NOT revoked, and is likely that one you should be using instead of the other one.

† In compliance with Censys terms of service as a Censys Free Customer, I should note the actual certificate was located using the service provided by https://censys.io/

Improve this answer
1

Found Solution:

in RDS server, open cmd in admin mode:

wmic /namespace:\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Full Description is here:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remote-desktop-listener-certificate-configurations

Improve this answer
2
  • Two possibilities. You revoked your certificate, or GoDaddy revoked your certificate. Neither is desirable, as certificates require everything to be functional or the whole house of cards comes crashing down. It's a good idea to identify and document procedures such as the steps for certificate renewal, to minimize the possibilities of further misunderstandings and mistakes. GoDaddy revocation: uk.godaddy.com/help/revoke-a-certificate-4747 More information: medium.com/hackernoon/…
    – Greg Askew
    Oct 6 at 4:25
  • Additionally, some providers specify that a rekey implies revocation. That makes sense to me, however it should be documented, given that it obviously will and has caused has caused numerous outages. It's probably safer to assume that a GoDaddy rekey implies revocation.
    – Greg Askew
    Oct 6 at 4:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .