Forum Discussion
Admin Center choosing the wrong certificate
Windows Admin Center version 2410, build 2.4.2.1. We're encountering an issue following the instructions outlined https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/con...
We’ve seen something similar when WAC and WinRM share the same CN and there are several valid certs in LocalMachine\My.
According to the WAC certificate docs, the Set-WACCertificateSubjectName flow expects a unique subject; if multiple certs match, the tooling can end up binding a different one than the thumbprint you had in mind.
A pattern that worked for us was:
- Issue a dedicated public cert for WAC with its own FQDN (for example, wac.contoso.com) and keep a separate internal-CA cert for WinRM with a different subject.
- Re-run the WAC config using the public cert’s thumbprint and confirm the HTTP.sys binding with netsh http show sslcert (check both 0.0.0.0:443 and any explicit IP bindings).
- Configure the WinRM HTTPS listener independently with the internal CA cert via winrm create / Set-WSManInstance, as in the WinRM over HTTPS guidance.
With that split, WAC presents the public cert on 443 for the browser, while WinRM continues to use the internal CA cert for management traffic.