As I’ve documented many times before, I enjoy setting up proper internal certificates on all of the devices on my home network. This includes XRDP, which is an application used on Linux to provide RDP functionality. In my case, I use it to access an Ubuntu Desktop machine I have. Once I noticed that I was connecting to it using the default built-in certificate, I had to change it.
The process was straightforward and similar to setting up a certificate with other services: set the private key and the certificate file in the configuration file, in this case the “/etc/xrdp/xrdp.ini” file. However, at first my attempts just resulted in complete failures to connect due to TLS errors. The errors were non-descript and were not helpful in identifying the cause, but eventually I figured it out: XRDP needs the certificate chain in the PEM file to have the local certificate at the top, with the rest of the chain below.
After this, I was able to connect, but Microsoft’s RDP client tries to do a certificate revocation check before connecting. Since I do not use OCSP for my internal PKI, I get this warning every time I try to connect:
There is a way to disable all certificate checks in the RDP client, but I don’t want that: I want to be warned when the certificate doesn’t match the host I’m trying to connect to, but not when the revocation check fails. At this time it appears that there is no way to disable just the OCSP check. Maybe someday.