Share via

How to sign a .rdp file, when the certificate in in azure key vault HSM, and after sign how to verify that it signed

prashant chakurkar 0 Reputation points
2025-06-17T03:59:43.2466667+00:00

I have tried rdpsign command to sign .rdp file, but for thumbprint we need certificate in machine but in my case certificates are in azure key vault HSM.

Is there a way to sign a .rdp file, when the certificate in in azure key vault HSM.

I have tried, below steps:

Hash the .rdp file using powershell command: Get-FileHash ".\test.rdp" -Algorithm SHA256

converted the has to ToBase64String

used az keyvault key sign --vault-name --name --algorithm RS256 --value command to get signature

Added signature in .rdp

note: above steps suggested by AI. When tested with rdpsign tool to sign .rdp same way signature content getting updated.

but in .rdp sign property it not showing the signature.

Important : Even though i export the certificate as a .pfx file, i will not have private key information because my certificate stored in key vault type HSM (as per new std. private key must not be exportable) As my .pfx file does not have private key information the file is not getting signed.

Azure Key Vault
Azure Key Vault

An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 20,505 Reputation points MVP Volunteer Moderator
    2025-06-17T10:00:08.1033333+00:00

    hi Prashant! thanks for posting this question,

    u gotta use azure key vault's 'sign' operation directly. since u can't export the private key (yes, hsm protects it, good security move!), traditional tools like rdpsign won't work here. instead, u need to manually craft the signature block in the .rdp file. hash the .rdp file content (u already did this with get filehash, good!) use az keyvault key sign to get the signature blob (u got this far too, nice!) now the sneaky part, u need to format the signature correctly for .rdp files. it expects a specific base64 encoded structure

    $signature = [convert]::tobase64string($azSig.blob)
add content 'signature:s:'$signature to your .rdp file

    as for verification... thats where it gets funky )) since u dont have the cert locally, u'll need to

    extract the signature from the .rdp file, get the public key from azure key vault. verify the hash matches using az keyvault key verify.

    worth noting that some rdp clients might still complain without seeing the full cert chain. microsoft's remote desktop client can be picky about this sometimes. when dealing with hsm stored certs, always remember u can't export private keys (that's the whole point!). signing operations must happen inside the hsm. verification needs the public key only (which u can export)

    this might help in other tools too - many apps struggle with hsm backed certs. the pattern is usually, generate hash locally, send to hsm for signing, insert signature manually

    check if your rdp client supports alternative signature verification methods. some can be configured to trust your key vault's public key directly.

    microsoft actually has a great article about working with hsm backed certs https://docs.microsoft.com/azure/key-vault/certificates/about-certificates

    let me know if my notes help u or non

    rgds,

    Alex

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.