rdpsign failing with error 0x80092004

On an RDSH server running Windows Server 2016, the following certificate is installed:

• Issued by: COMODO RSA Domain Validation Secure Server CA
• Issued to: *.internal.<Internet domain name>
• Valid from: 2017/07/18
• Valid to: 2018/07/19
• SHA-1 thumbprint: ‎02 e5 52 95 aa 2d 9f a5 fb ad 82 97 0e 66 5d a9 73 db 00 ca
• Private key: Yes

We need to sign an RDP file using the above certificate and research strongly suggests using rdpsign.

I executed command rdpsign -? which ouputted the following:

NAME

rdpsign [options] [items to sign]

OPTIONS

  /sha256 HASH
       Specified the SHA256 hash of the signing certificate.
  /q
       Quiet mode:  No output when success, minimal output when failed.
  /v
       Verbose mode:  Display all warnings, messages, and status.
  /l
       Test signing and output results without actually replacing any of the inputs.  Ignores when input files are on stdin.


All rdp file(s) have been succesfully signed.

So, contrary to the official, now-outdated documentation, rdpsign requires the certificate's SHA-256 hash.

However, IIS Manager and Certificate Manager only offer certificates' SHA-1 thumbprints.

https://knowledge.symantec.com/support/identity-protection-support/index?page=content&id=SO28771&actp=RSS&viewlocale=en_US advises that OpenSSL can be used to obtain a certificate's various hashes, including SHA-256.

I exported the certificate without its private key to a base-64 encoded X.509 CER file.

I executed command openssl x509 -noout -fingerprint -sha1 -inform pem -in <file name>.cer which ouputted the following:

SHA1 Fingerprint=02:E5:52:95:AA:2D:9F:A5:FB:AD:82:97:0E:66:5D:A9:73:DB:00:CA

So, we can be confident that OpenSSL is outputting accurate information because the SHA-1 thumbprints match.

I executed command openssl x509 -noout -fingerprint -sha256 -inform pem -in <file name>.cer which ouputted the following:

SHA256 Fingerprint=D7:44:A5:BA:94:56:B0:9F:26:D2:2B:88:92:84:11:74:35:23:71:87:30:FD:CE:D0:B1:35:6B:D8:DA:A6:A1:7B

I executed elevated (run as administrator) commands rdpsign /sha256 D744A5BA9456B09F26D22B88928411743523718730FDCED0B1356BD8DAA6A17B <file name>.rdp /v, rdpsign /sha256 "D744A5BA9456B09F26D22B88928411743523718730FDCED0B1356BD8DAA6A17B" <file name>.rdp /v, and rdpsign /sha256 d744a5ba9456b09f26d22b88928411743523718730fdced0b1356bd8daa6a17b <file name>.rdp /v all of which outputted the following:

Unable locate the certificate specified.  Error Code: 0x80092004
The rdp file could not be signed.  Error Code: 0x80092004

I've found that there's hardly anything relevant online for this problem. Can anyone advise?

I guess the parameter name is misleading. It seems to assume it will use SHA-256 algorithm to sign the file, but accepts SHA-1 certificate thumbprint as a value.

Tested rdpsign.exe on Windows 10 machine and was able to sign an RDP file using a SHA-1 thumbprint of an installed certificate that has Signature Hash Algorithm SHA-256. If your certificate can sign it, the following command should do it.

rdpsign.exe /sha256 02e55295aa2d9fa5fbad82970e665da973db00ca <rdp file path>

When I use an older cert that has SHA-1 signature algorithm, rdpsign.exe generates the error:

Unable to use the certificate specified for signing. Error Code: 0x8007000d The rdp file could not be signed. Error Code: 0x8007000d