How-to-simply...

Verify changed RDP certificate on Windows Server to prevent MITM

  • 1 !!!Certificate for {ip address}:{port} (RDP-Server) has changed!!!
    Thumbprint: 90:82:25:6e:1a:... <- Verifying this message from xfreerdp
  • 2 PowerShell: Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop' | Where-Object { $_.Subject -like "*cert-subject-name*" }
  • 3 Win+R mmc (Microsoft Management Console) -> File -> Add Remove Snap-in -> Certficates -> Add -> Computer Account -> Local Computer -> OK
    Left menu Certificates (Local Computer) -> Remote Desktop -> Certificates
  • 4 R-click -> All Tasks -> Export...
    No, do not export the private key
    Base-64 encoded X.509 (.CER)
    Filename: cert-yyyyMMdd.cer
  • 5 Git bash: openssl x509 -noout -fingerprint -sha256 -inform pem -in cert-yyyyMMdd.cer
    SHA256 Fingerprint=90:82:25:6E:1A:... <- Should be the same
  • N Thumbprint from the connect info and openssl fingerprint output should be the same (case insensitive)

References