From 40034d87e78cdf6446544dc42c1ef1381d7d085c Mon Sep 17 00:00:00 2001
From: Curd Becker <12437061+curdbecker@users.noreply.github.com>
Date: Fri, 1 May 2026 16:45:53 +0200
Subject: [PATCH] Add usage for windows_rdp deploy helper

---
 deployhooks.md | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/deployhooks.md b/deployhooks.md
index b84f0b9..ddbf609 100644
--- a/deployhooks.md
+++ b/deployhooks.md
@@ -1277,3 +1277,36 @@ export DEPLOY_LOCALCOPY_RELOADCMD="/path/to/reloadcmd.sh"
 acme.sh --deploy -d example.com --deploy-hook localcopy
 ```
 
+## 41. Deploy a Remote Desktop (RDP) certificate to a remote Windows host over OpenSSH
+
+Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
+
+This plugin deploys a certificate into the certificate store of a remote Windows machine and assigns it as the active certificate 
+for the Remote Desktop (RDP) server. It is not meant to deploy certificates to the local machine.
+
+The idea is to be able to deploy certificates on Windows machines that are running in a less trusted environment (e.g. a lab machine) and are not intended to hold any kind of secrets like DNS API keys. Instead, the plugin can then be run from a remote Linux machine, e.g. like a Synology NAS, that is entirely separated by a firewall etc.
+
+Therefore, one ssh invocation does the whole job:
+* the PFX is built locally, base64'd, and embedded as a string literal inside a generated PowerShell script;
+* the script is piped to `powershell.exe -Command -` over ssh. No scp, no temp files on the Windows host required. The certificate is directly imported into the Windows certificate store with nothing else left behind.
+
+Minimal usage example:
+```sh
+   export DEPLOY_WIN_RDP_HOST=winserver.example.com
+   acme.sh --deploy -d winserver.example.com --deploy-hook windows_rdp
+```
+
+> [!NOTE]
+> If you should have locked yourself out from RDP due to some issue on a remote machine, then it is quite lucky that the OpenSSH server won't be affected by this change, so you will be easily able to rectify the situation via SSH again.
+> 
+> The generated PowerShell script will include a simple command to reset the RDP server back to the default certificate to get you out of trouble and back in via RDP. It will be displayed when you run the `acme.sh` command with `--debug` enabled. You can also use this script for troubleshooting using manual execution.
+
+Available variables:
+
+**DEPLOY_WIN_RDP_HOST**: SSH host **(required)**\
+**DEPLOY_WIN_RDP_USER**: SSH user, must be a local administrator (can also by set via ssh_config)\
+**DEPLOY_WIN_RDP_PORT**: SSH port, default 22\
+**DEPLOY_WIN_RDP_SSH_OPTS**: extra ssh options, e.g. "-i /root/.ssh/win_id_ed25519 -o StrictHostKeyChecking=yes"\
+**DEPLOY_WIN_RDP_LISTENER**: RDP listener name, default RDP-Tcp\
+**DEPLOY_WIN_RDP_RESTART**: "1" to restart TermService after install. Active RDP sessions will drop!
+