I connected to some Windows 10 machine with a static IP address via RDP from another Windows 10 machine for some time period probably about couple month. At some moment RDP started to report a certificate error:
1) What can cause this?
2) Where can I found the previous certificate to check if it expired or not?
1 Answer
This is somewhat normal, as Windows systems always create a self-signed TLS certificate for Remote Desktop (unless they're on Active Directory with AD CS available, in which case they might use the domain's internal CA).
While it is possible to install a globally-trusted certificate, practically nobody does that, so on standalone systems you will nearly always see the "Not a trusted CA" warning, and you will end up ticking the box to remember this individual certificate instead.
Windows 10 systems also tend to regenerate their Remote Desktop certificate even if it hasn't expired yet – it most likely happens during full OS upgrade, i.e. the old certificate is probably discarded whenever a new Windows release is being installed.
You cannot view the previous certificate on your client, as it only remembers the SHA-1 fingerprint, not the complete certificate. Most likely you cannot view the old certificate on the server either, as the change is often caused by the old certificate having been discarded.
However, you can view the current certificate on the server by running certlm.msc (on the physical screen, of course, not via RDP) and compare its fingerprint to what's being shown by your RDP client.
