Trusting the RAWeb server (Fix security error 5003) - kimmknight/raweb GitHub Wiki
As part of the RAWeb installation, it checks for whether an SSL certificate is installed to the server and is bound to the HTTPS binding in IIS. If it does not find a certificate, the installer will ask to install and bind a self-signed SSL certificate. If you did not accept that option, re-install RAWeb before continuing with this guide.
The following features require RAWeb to operate over HTTPS with a valid SSL certificate:
- RemoteApp and Desktop Connections (RADC) on Windows
- Workspaces in Windows App (formerly Microsoft Remote Desktop) on macOS, Android, iOS, and iPadOS
This guide shows you how to configure the RAWeb server and the client devices to operate over HTTPS with an SSL certificate. A limitation of using a self-signed certificate is that it must be installed on each client computer before it will be able to connect. If you wish to avoid this limitiation, you must choose Option 2. Use a certificate from a trusted certificate authority.
Option 1: Manually trust the self-signed certificate generated by the RAWeb installer
Open PowerShell. Then, run the following script. It will prompt you for the full URL to your installation to RAWeb. It will retrieve the SSL certificate from that URL and add it the Trusted Root Certification Authorities certificate store for the current user.
$rawebUrl = Read-Host "Enter the full URL (include the protocol) to your installation of RAWeb:"
try {
$webRequest = [Net.WebRequest]::Create($rawebUrl)
$webRequest.GetResponse() | Out-Null # we do not need the response, just the connection
$cert = $webRequest.ServicePoint.Certificate
if ($cert) {
# get the current user's certificate store
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser)
try {
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
# Check if the certificate is already in the store (optional but good practice)
$existingCert = $store.Certificates | Where-Object { $_.Thumbprint -eq $cert.Thumbprint }
if ($existingCert) {
Write-Host "Certificate is already in the Trusted Root Certification Authorities store for the current user."
} else {
$store.Add($cert)
Write-Host "Certificate successfully installed to the Trusted Root Certification Authorities store for the current user."
}
}
finally {
$store.Close()
}
} else {
Write-Error "Could not retrieve the certificate from the specified URL."
}
} catch {
Write-Error "An error occurred while trying to access the URL or process the certificate: $($_.Exception.Message)"
}
If you need the .cer file for other devices, run the following script. It will prompt you to save the certificate file.
Add-Type -AssemblyName System.Windows.Forms
# get the RAWeb URL first
$rawebUrl = Read-Host "Enter the full URL (include the protocol) to your installation of RAWeb:"
try {
$webRequest = [Net.WebRequest]::Create($rawebUrl)
$webRequest.GetResponse() | Out-Null # We only need to establish the connection
$cert = $webRequest.ServicePoint.Certificate
if ($cert) {
# create and configure a SaveFileDialog object
$SaveFileDialog = New-Object System.Windows.Forms.SaveFileDialog
$SaveFileDialog.InitialDirectory = [Environment]::GetFolderPath("Desktop") # Set initial directory (e.g., Desktop)
$SaveFileDialog.Filter = "Certificate files (*.cer)|*.cer|All files (*.*)|*.*" # Set file filter
$SaveFileDialog.FilterIndex = 1 # Set the default selected filter
$SaveFileDialog.FileName = "raweb.cer" # Set a default file name
$SaveFileDialog.Title = "Save RAWeb Certificate" # Set the dialog title
$DialogResult = $SaveFileDialog.ShowDialog()
# check if the user clicked OK
if ($DialogResult -eq [System.Windows.Forms.DialogResult]::OK) {
# get the selected file path
$SavePath = $SaveFileDialog.FileName
# export the certificate to bytes and save it to the path from the dialog
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path $SavePath
Write-Host "Certificate successfully downloaded and saved to: $SavePath"
} else {
Write-Host "Certificate download canceled by user."
}
# clean up
$SaveFileDialog.Dispose()
} else {
Write-Error "Could not retrieve the certificate from the specified URL."
}
} catch {
Write-Error "An error occurred while trying to access the URL or process the certificate: $($_.Exception.Message)"
}
Option 2: Use a certificate from a trusted certificate authority
If you have a domain (e.g., example.com) or subdomain, you can obtain an SSL certificate from a trusted certificate authority. You can configure IIS to use the SSL certificate when accessing RAWeb via your domain or subdomain.
- Obtain a certificate in
.pfxformat from a trusted certificate authority for a domain you own. If you do not have one, you can obtain one for free from Lets Encrypt. - Open Internet Information Services (IIS) Manager.
- Click the server's name in the Connections pane.
- In the Features View, double click Server Certificates.
- In the Actions pane, click Import....
- Add the certificate file. If it has a password, specify it. Click OK.
- In the Connections pane, navigate to Default Web Site.
- In the Actions pane, click Bindings....
- In the Site Bindings dialog, click Add.
- In the Add Site Binding dialog, set Type to https and SSL certificate to the certificate you imported. Click OK.
- Configure your network to expose port 443 from the server or PC that hosts RAWeb.
- In your domain's DNS settings, configure an A record to point to the public IP address of the server or PC that hosts your installation of RAWeb.