Skip to content

Issue and renew certificate of Let's Encrypt using DNS-01 validation, apply new certificate with WSL and Powershell scripts.

Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



8 Commits

Repository files navigation


Issue and renew certificate of Let's Encrypt using DNS-01 validation, apply new certificate with WSL and Powershell scripts.

日本語の説明はこちら / Description in Japanese

What is this for?

When we use Windows 10 built-in remote desktop, the RD client ask us if we trust the self-signed certificate of the host computer. This is because Windows RD uses self-signed certificate by default. It has no problems for use, however, I am reluctant to be "Never ask again for connections to this PC" checked.

If you want to get SSL certificate to avoid that prompt, this code may help you.


  • You own your domain that is using DNS provider that supports
  • You are using WSL

You can find supported DNS provider from here. If your provider is not supported by, please consider using another ACME client instead. In case your provider is not in list and you can expose 80 port, you can use HTTP-01 challenge (or certbot instead of alternatively (however, that needs to keep 80 open).

As of September 2020, Certbot for Windows does not support DNS-01 challenge, we need to use Certbot in WSL.


  1. Install and set cron for auto renewal
  2. Issue a cert
  3. Convert to pfx (Windows format of certificate)
  4. Import pfx and do some settings
  5. Set scheduled tasks

1. Install and set cron for auto renewal

Install in your WSL environment.

$ wget -O - | sh

After you get installed, restart your terminal.

Set cron in WSL

If you already run cron in WSL, cron should be set when installing Following these steps below, you can run cron process automatically at boot of Windows.

  1. Change setting not to ask password when sudo.
$ sudo visudo
<username> ALL=NOPASSWD: ALL # add this line (put your username in <username>)
  1. Make a new file of wsl /bin/bash -l -c "sudo service cron start" and save a bat file as a name you defined.
  2. Copy (or move) the bat file to C:\Users\<win-user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

2. Issue a cert

To use DNS-01 challenge, you need to set DNS ID and password (or token or key) as environment variables. You can find designated variables from dnsapi

For example,

$ export MYDNSJP_MasterID=MasterID
$ export MYDNSJP_Password=Password

Then, issue a cert like this.

$ --issue --dns <your-dns-provider> -d <your-domain>

Caution: Don't specify multiple domains, the cert issued for multiple domains somohow cannot use in Windows remote desktop. You can issue wildcard cert by specifying like this: -d *

Once succeeded to get cert, keys should be in /home/<user>/<your-domain>.

3. Convert to pfx (Windows format of certificate)

Using WSL/, convert from cer (pem) to pfx. This script also make a fingerprint.txt which is SHA-1 hash value of cert. Before using, edit variables of domain and file_dir.

$ cd ~/
$ git clone
$ cd ~/cert-win-remote-desktop/wsl
$ nano
# edit $domain and $file_dir
$ ./

4. Import pfx and do some settings

From here, you will use PowerShell terminal. Before moving, edit powershell/cert.ps1

$ cd ~/cert-win-remote-desktop/powershell
$ nano cert.ps1
$CERTWSLPATH = '\\wsl$\Ubuntu\home\<user>\cert-win-remote-desktop\wsl\keys'
$DOMAIN = '<your-domain>'

Move powershell/cert.ps1 to Windows directory. Use Expolorer or PowerShell command like this:

cp \\wsl$\Ubuntu\home\<user>\cert-win-remote-desktop\powershell\cert.ps1 C:\Users\<win-user>\path\to\your\folder
cd C:\Users\<win-user>\path\to\your\folder

...and execute command


Open mmc.exe, click File > Add Remove Snap-in > Certficates > Add > Computer Account > Local Computer > OK, expand your Personal/Certificates. If you can see domain name we just added, pfx cert was successfully added to your computer. Just in case, right-click on the item and choose All Tasks > Manage Private Keys, confirm there is NETWORK SERVICE.

Then, open regedit and expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, find SSLCertificateSHA1Hash. If hex values there are as same as values in fingerprint.txt, scripts have done their work without an error!

FYI: These scripts are based on this page.

5. Set scheduled tasks

Now, you should set scheduled tasks for auto renewal. Using cron in WSL, create a daily job like this:

0 0 * * * /path/to/cert-win-remote-desktop/wsl/

Then, open Task Scheduler in Windows and create a new basic task. It should run

  • daily (after running
  • with highest privilege
  • only when user is logged on.

Program/script is C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, the argument is C:\Users\<win-user>\path\to\your\folder\cert.ps1.

All done!



Issue and renew certificate of Let's Encrypt using DNS-01 validation, apply new certificate with WSL and Powershell scripts.






No releases published


No packages published