Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

APM - User Defined RDP in version 13 - digital signature issue

DaytonG_131489
Nimbostratus
Nimbostratus

‎11-Apr-2017 12:02

I'm testing out v13 and User Defined RDP via webtop in my lab and am getting the following message when launching the .RDP file:

 

"The digital signature of this RDP File cannot be verified. The remote connection cannot be started."

 

Has anyone run into this at all? I'm wondering if it could be related to the use of default "clientssl" and "serverssl" profiles for the Virtual Server associated with the Access Policy.

 

Labels:
0 Kudos
7 REPLIES 7

DamianFoitzik_2
Historic F5 Account

‎24-Apr-2017 22:47

You assumptions is correct. You would need a valid client SSL certificate because the vdi profile generates a cryptographic signature based on the attached client SSL profile.

 

0 Kudos

Danielle_Alper1
Nimbostratus
Nimbostratus

‎08-May-2017 00:31

Hey, is a self singed certificate should be enough ? im running the same test as DaytonG , ActiveX is not working with chrome browser and native option gives the same error as he mentioned "The digital signature of this RDP File cannot be verified. The remote connection cannot be started."

 

0 Kudos

Matt_Dierick
F5 Employee
F5 Employee

‎16-Nov-2017 05:07

The fact is the Microsoft RDP client has requirements about the certificates used to sign the .rdp files.

 

  • self-signed certificates are forbidden,
  • some extensions are needed, when creating the certificates.

extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection

 

basicConstraints = CA:FALSE

 

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 

Change the certificate on APM and RDS server with these requirements.

 

0 Kudos

Chris_Zhang
Legacy Employee
Legacy Employee

‎16-Nov-2017 06:43 - last edited on ‎02-Jun-2023 10:27 by Fog

You can recreate your cert as below.

root@u1:~ openssl x509 -req -days 3650 -in vpn.home.lab.csr -CA dc7.h.l.cer -CAkey dc7.h.l.key -out vpn.home.lab.cer -set_serial 129 -sha256 -extensions some_ext -extfile ssl_ext

root@u1:~ cat ssl_ext 
[some_ext]

extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

paulooliveira
Nimbostratus
Nimbostratus
In response to Chris_Zhang

‎20-Jul-2023 12:43

Hi,

When running the above command, I get the error below:

error loading the config file 'ssl_ext'

The command I'm running is:

openssl x509 -req -days 3650 -in /shared/tmp/client1.req -CA /shared/tmp/client1.crt -CAkey /shared/tmp/client1.key -out /shared/tmp/apm.labf5.com.br.crt -set_serial 129 -sha256 -extensions some_ext -extfile ssl_ext

Its correct?

0 Kudos

mr_shaggy_17493
Nimbostratus
Nimbostratus

‎11-Jul-2018 01:50

Hi All,

 

I'm a bit confuse here. After making creating cert like Chris Zhang mention above, the where should we used it? Client ssl profile? Client PC (whom accessing through F5)? Or on the RDP server?

 

Thanks anyway..

 

0 Kudos

Chris_Zhang
Legacy Employee
Legacy Employee
In response to mr_shaggy_17493

‎11-Jul-2018 07:24

Client SSL profile.

 

0 Kudos
Copyright © 2023 Khoros, LLC