Forum Discussion

DaytonG_131489's avatar
DaytonG_131489
Icon for Nimbostratus rankNimbostratus
Apr 11, 2017

APM - User Defined RDP in version 13 - digital signature issue

I'm testing out v13 and User Defined RDP via webtop in my lab and am getting the following message when launching the .RDP file:

 

"The digital signature of this RDP File cannot be verified. The remote connection cannot be started."

 

Has anyone run into this at all? I'm wondering if it could be related to the use of default "clientssl" and "serverssl" profiles for the Virtual Server associated with the Access Policy.

 

application delivery
BIG-IP Access Policy Manager (APM)
rdp
v13
  • mr_shaggy_17493's avatar
    mr_shaggy_17493
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2018

    Hi All,

     

    I'm a bit confuse here. After making creating cert like Chris Zhang mention above, the where should we used it? Client ssl profile? Client PC (whom accessing through F5)? Or on the RDP server?

     

    Thanks anyway..

     

  • Chris_Zhang's avatar
    Chris_Zhang
    Ret. Employee
    Nov 16, 2017

    You can recreate your cert as below.

    root@u1:~ openssl x509 -req -days 3650 -in vpn.home.lab.csr -CA dc7.h.l.cer -CAkey dc7.h.l.key -out vpn.home.lab.cer -set_serial 129 -sha256 -extensions some_ext -extfile ssl_ext

root@u1:~ cat ssl_ext 
[some_ext]

extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    • paulooliveira's avatar
      paulooliveira
      Icon for Altostratus rankAltostratus
      Jul 20, 2023

      Hi,

      When running the above command, I get the error below:

      error loading the config file 'ssl_ext'

      The command I'm running is:

      openssl x509 -req -days 3650 -in /shared/tmp/client1.req -CA /shared/tmp/client1.crt -CAkey /shared/tmp/client1.key -out /shared/tmp/apm.labf5.com.br.crt -set_serial 129 -sha256 -extensions some_ext -extfile ssl_ext

      Its correct?

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Nov 16, 2017

    The fact is the Microsoft RDP client has requirements about the certificates used to sign the .rdp files.

     

    • self-signed certificates are forbidden,
    • some extensions are needed, when creating the certificates.

    extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection

     

    basicConstraints = CA:FALSE

     

    keyUsage = nonRepudiation, digitalSignature, keyEncipherment

     

    Change the certificate on APM and RDS server with these requirements.

     

  • Danielle_Alper1's avatar
    Danielle_Alper1
    Icon for Nimbostratus rankNimbostratus
    May 08, 2017

    Hey, is a self singed certificate should be enough ? im running the same test as DaytonG , ActiveX is not working with chrome browser and native option gives the same error as he mentioned "The digital signature of this RDP File cannot be verified. The remote connection cannot be started."

     

  • DamianFoitzik_2's avatar
    DamianFoitzik_2
    Historic F5 Account
    Apr 25, 2017

    You assumptions is correct. You would need a valid client SSL certificate because the vdi profile generates a cryptographic signature based on the attached client SSL profile.