Is possible regenerate the "Encryption Fingerprint" for the "Remote Desktop" configuration?

To allow a Remote Desktop connection, in the client side can be use Remmina and in the server is mandatory enable the Remote Desktop option, it through SettingsSharing. This GUI is the same for Ubuntu and Fedora.

In the bottom of the Remote Desktop window exists the Authentication section and the Verify Encryption button. If it is press it appears a small window with the Encryption Fingerprint value - it in the server side. For the client side - this value appears for the first attempt connection as a Certificate. Is mandatory accept that Certificate to accomplish the first connection and make others in the future.

Just being curious, for security reasons, is there a way to regenerate or create a new fingerprint?

Consider the case if exists 3 remote clients (does not matter if is the same person or not) and the laptop/PC of one of them was either compromised or stolen. Yes, I know that can be changed the User Name and Password, but to increase the security is possible change or recreate/generare a new Fingerprint?

Yes, you should regenerate the TLS key and certificate.


Then, one way could be this:

openssl genrsa -out tls.key 4096
openssl req -new -key tls.key -out tls.csr
openssl x509 -req -days 730 -signkey tls.key -in tls.csr -out tls.crt

mv tls.crt ~/.local/share/gnome-remote-desktop/rdp-tls.crt
mv tls.key ~/.local/share/gnome-remote-desktop/rdp-tls.key
rm tls.csr
systemctl --user restart gnome-remote-desktop.service

Thanks again for the quick and polite reply - valuable your support. Let me do a research about that command and once confirmed, I am going to mark you answer as the solution.

In order to generate a new crtificate/key you could also use
winpr-makecert -rdp -path /var/tmp/
(winpr-makecert command comes from the freerdp package).

1 Like

The order and necessity of action follows the concept of public-key cryptography:

  • If the RDP client machine is stolen or compromised, change the RDP credentials on the server.
    Note that regenerating the server’s key or certificate does not provide any security benefit.

  • If the RDP server machine is stolen or compromised, remove its certificate fingerprint from the client.

You can also regenerate the server key and certificate by resetting the relevant settings and then toggling remote desktop sharing in GNOME Settings:

gsettings reset org.gnome.desktop.remote-desktop.rdp tls-cert
gsettings reset org.gnome.desktop.remote-desktop.rdp tls-key

But keep in mind this provides no security benefit since RDP key never leaves the server, and RDP certificate is designed to be publicly disclosed.