Schannel Event 36870 – A fatal error occurred – RDP

Came in one morning to reports that nobody can access a particular Windows Server 2012R2 RDS server.  To keep from being too wordy, I took some time and narrowed it down to just an issue with that one particular server, not RDS itself.  As I kept digging I came across numerous instances of the following Schannel Event 36870 error on the effected RDS host, which I could then reproduce by attempting to make an RDP connection to the server experiencing the issue.

Now this led me down quite a number of SSL certificate rabbit holes, but the winner came from this stackoverflow article, which referenced this Microsoft blog post, in which scenario 2 was my solution.  I restored default permissions to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, restarted the box, and wha-lah!  RDP was functional again!

Convert .pfx to .pem Format

I needed to get .pem’s out of a .pfx recently for an application that did not have an easy method to upload a .pfx.  It ran on top of a debian distro so I figured it was easier to just drop the .pem’s where they need to be, but then I realized I’ve never taken a .pfx and split it up before.  Perfect time to figure it out right?  Luckily the issue wasn’t all that important (was a test/dev thing), so that’s just what I did.  Here is what I came up with:

1.) Install OpenSSL on a machine

2.) Copy .pfx file to that computer

3.) Run the following to get the key.pem:

4.) Run the following to get the crt.pem

That should do it for you.  Do with them what you will!

Sources:

Adobe Blog Post

StackPath Support Article

Renewing Let’s Encrypt Certificates with certbot-auto

I had some trouble renewing a certificate on a web server today with a particularly “wonky” configuration if you will.  The standard certbot methods I would normally use just would not work for me so I had to dig a little deeper into the more “advanced” certbot setups.  This brought me to the certbot documentation where I read that the certbot-auto script might be able to help me out, so I gave it a shot and it worked!  I started by downloading the script and changing the permissions as instructed:

I threw it in a home directory, but that is really dealers choice.  Once I had that complete I simply ran the following command and was off to the races:

 

Create Custom CSR with Exportable Private Key

This is just one of those things that always seems to slip my mind so I am going to throw it on here.

 

Start by opening MMC and adding the Certificates snap-in for the local computer.

Select the Personal store, right click in the open area, hover All Tasks, hover Advanced Operations, and select Create Custom Request…

Select Next on the Before You Begin page.  On the Select Certificate Enrollment Policy window, select Custom Request: Proceed without enrollment policy and select Next.

Confirm the Template option on the Custom request window is set to No template with PKCS #10 format and select Next.

Select Details on the Certificate Information window and then select properties.

Type in a Friendly name and, if you wish, a Description and select the Subject tab.

In the Subject name section select Common name, fill in the value appropriately, and select Add.  You can also add others such as Locality, State, Country, etc. if you wish and select the Private Key tab.

Under the Cryptographic Service Provider select 2048 for the Key size and select the Make private key exportable option.

Select Apply/OK and select next.  Browse or type in where you would like to store the csr and select finish.

Send that csr off to the CA your working with, or sign it with an internal CA and you’re off to the races.