Add deployment plugin for Windows RDP via OpenSSH#6925
Merged
neilpang merged 4 commits intoacmesh-official:devfrom May 1, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new acme.sh deploy hook to remotely install and bind an RDP (TermService) TLS certificate on a Windows host via OpenSSH by generating a PowerShell script that imports a PFX into the Windows certificate store and updates the RDP listener binding.
Changes:
- Introduces
windows_rdpdeploy hook to build a local PFX, Base64-embed it into PowerShell, and execute it remotely over SSH. - Adds deploy configuration variables for SSH target, options, listener selection, and optional TermService restart.
neilpang
force-pushed
the
feature/add-windows-rdp-via-openssh-deploy-plugin
branch
from
4e43355 to
9e16af2
Compare
neilpang
reviewed
May 1, 2026
This plugin deploys a certificate into the certificate store of a remote Windows machine and assigns it as the active certificate for the Remote Desktop (RDP) server. The plugin is not meant to deploy to the local machine, but instead converts the certificate and its private key to a PKCS12 (.pfx) container and embeds the container as Base64 inside a generated powershell script that is then executed via powershell on the Windows OpenSSH Server (needs to be installed from optional features). This ensures that the PKCS12 container is not saved on the host at all, but directly imported in the certificate store. The idea of this plugin is to be able to deploy certificates on Windows machines that are running in a less trusted environment (e.g. my lab machine) and are not intended to hold any kind of secrets like DNS API keys. Instead, the plugin can then be run from a remote Linux machine, e.g. like my Synology NAS, that is entirely separated by a firewall etc. Please note that AI (specifically Claude Code) was used in the creation of this script, but due to the fact that Windows works always in mysterious ways - and due to no fault of the AI unfortunately and surprisingly - I spent hours debugging and adapting it myself... only to change a few powershell lines in the end.
- make variable naming in introduction comment more obvious - explicitly request POSIX sh as interpreter - compliy with acme.sh-specific openssl handling - fix shellcheck issues
neilpang
force-pushed
the
feature/add-windows-rdp-via-openssh-deploy-plugin
branch
from
c6a04b2 to
7a406a1
Compare
Member
|
add your usage here https://github.com/acmesh-official/acme.sh/wiki/deployhooks |
Contributor
Author
Done. Thanks a lot :) Also added a small note on how to view the PowerShell script with |
neilpang
pushed a commit
that referenced
this pull request
May 2, 2026
* Add deployment plugin for Windows RDP via OpenSSH
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This plugin deploys a certificate into the certificate store of a remote Windows machine and assigns it as the active certificate for the Remote Desktop (RDP) server.
The plugin is not meant to deploy to the local machine, but instead converts the certificate and its private key to a PKCS12 (.pfx) container and embeds the container as Base64 inside a generated powershell script that is then executed via powershell on the Windows OpenSSH Server (needs to be installed from optional features). This ensures that the PKCS12 container is not saved on the host at all, but directly imported in the certificate store.
The idea of this plugin is to be able to deploy certificates on Windows machines that are running in a less trusted environment (e.g. my lab machine) and are not intended to hold any kind of secrets like DNS API keys. Instead, the plugin can then be run from a remote Linux machine, e.g. like my Synology NAS, that is entirely separated by a firewall etc.
Please note that AI (specifically Claude Code) was used in the creation of this script, but due to the fact that Windows works always in mysterious ways - and due to no fault of the AI unfortunately and surprisingly - I spent hours debugging and adapting it myself... only to change a few powershell lines in the end.