I just now observed that our internal WAC certificate was only two months old and it's already expired. Can I simply create and use our own self-signed certificate and use it?? Do I install it like normal certificates within the Certificates MMC and WAC will automagically use it??Thank you, Tom

Seems to my Microsoft just ignore us. It's very basic thing and no solution how to change built-in certificate in WAC.My method of changing is bellow.1. Get thumbprint for a new certificate:Powershell: ls cert:\LocalMachine\my2. Show config:CMD: netsh http show sslcertWrite down "Application ID"3. Delete existing config:netsh http delete sslcert ipport=0.0.0.0:4434. bind new cert:netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint_40_characters appid={Application ID}5. Restart "Windows Admin Center" servicenet stop ServerManagementGateway && net start ServerManagementGatewayDone!

To update the certificate used by Windows Admin Center, re-run the installer and choose change, then specify the thumbnail of another installed certificate. Updating the certificate used by Windows Admin Center

How do I create a new certificate for Windows Admin Center??

24 Replies

nwwt
Copper Contributor
Dec 30, 2024
I tried the Powershell scripts shared here but they just didn't work for me, maybe due to me using v2410.
So I used the even older OpenSSL version shared in this blog. The page is German but self-explanatory, just be aware that everything needs to go into separate lines in the OpenSSL configuration file. Also you can probably use "default_bits = 4096" and "default_md = sha512" nowadays (then omit it from the cmd call) and further use IP.1 (IPv4) and/or IP.2 (say, IPv6) etc. with the alt_names.
I also changed the FQDN in the WAC installation to lowercase for good measure.

Kristaps_Esterlins

Copper Contributor

Apr 19, 2023

I would like to share my experience with WAC as I am using it to administer a Windows Hyper-V Server 2019 (Bare Metal, not domain joined) and to overcome the self-signed certificate issue.

Initial information on how to generate the Root Certificate Authority and a client certificate is here - How to: Create Temporary Certificates for Use During Development - WCF | Microsoft Learn

Below is the script I adjusted for my usage (The server has an internal static IP address and only a computer name (hostname)):

# 19.04.2023
# Create a root certificate authority and specify the IP Address and DNS Hostname
# The certificate is valid for 20 years

$rootCert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject "Root CA For Windows Admin Center" -TextExtension @("2.5.29.19={text}CA=true","2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>") -KeyUsage CertSign,CrlSign,DigitalSignature -NotAfter (Get-Date).AddYears(20)

# Password protect and export the root certificate authority to be imported on the target machine (client)
[System.Security.SecureString]$rootCertPassword = ConvertTo-SecureString -String "password" -Force -AsPlainText
[String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($rootCert.Thumbprint)"
Export-Certificate -Cert $rootCertPath -FilePath 'RootCA.crt'

# Create a self signed client certificate and specify the IP Address and DNS Hostname
# Certificate is valid for 10 years
$testCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "Windows Admin Center (Self-Signed)" -TextExtension @("2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>") -KeyExportPolicy Exportable -KeyLength 2048 -NotAfter (Get-Date).AddYears(10) -KeyUsage DigitalSignature,KeyEncipherment -Signer $rootCert

# Add the certificate to the certificate store and export it
[String]$testCertPath = Join-Path -Path 'cert:\LocalMachine\My\' -ChildPath "$($testCert.Thumbprint)"
# Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password $rootCertPassword
Export-Certificate -Cert $testCertPath -FilePath testcert.crt

Afterwards import the RootCA.crt and testcert.crt to the client workstation:

certmgr => Personal => All Tasks => Import => testcert.crt

certmgr => Trusted Root Certification Authorities => All Tasks => Import => RootCA.crt

Reconfigure the WAC installation on the server by using the installation MSI and specify the thumbprint from the installed client certificate. To obtain it, either check the certificate store on the server or on the client workstation click on the imported testcert.crt in certmgr and under "Details" copy the value for "Thumbprint"

infrost
Copper Contributor
Feb 06, 2025
This method still works in v2410. But need to add permissions on the Certificate.
In brief, after WAC's install, go to `mmc.exe`
`mmc.exe` - File - Add or Remove Snap-ins and select Certificates.
- Please note that certificates under LocalMachine cannot be managed by certmgr.msc.
LocalMachine - Personal - Certificates - find the Client_Cert you just installed.
Right click - All Tasks - Manage Private Keys
In the Security dialogue box, click the Add button
In the text box, type ‘Network Service’ (case does not matter). Click Check Names to ensure that you have entered the correct name.
When you return to the Security dialogue box, an item named NETWORK SERVICE will appear Windows will give it Full Control permissions by default. Please reduce/check it to Read only. Click OK.
The WAC will now open normally.

I wrote a complete instruction here (for non-Chinese users, maybe you can use a web translator):
WindowsAdminCenter2410 安装长期自签名TLS证书方法 - Kevin's Blog
or look up this reference:
Windows Admin Center v2 with Certificate Cannot Load Site – Project Runspace
- Kristaps_Esterlins
  Copper Contributor
  Mar 19, 2025
  Hi,
  For those who have the issue with the latest WAC (Release 2410) the permissions can be changed inside the Host Windows Server without using MMC if you have either Hyper-V Server 2019 or a Windows Server instance without Desktop Experience (Server Core)
  The instruction is here - https://www.server-world.info/en/note?os=Windows_Server_2025&p=admin_center&f=1
  Section [2] - Change the access permission of the private key of the SSL/TLS certificate so that it can be used with Windows Admin Center.
  To change the default self-signed certificate in WAC, you have to use the PowerShell module - https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/deploy/install?tabs=server-core&pivots=windows-server-2022#update-the-certificate-used-by-windows-admin-center
  !NB - The SubjectName parameter is always without "CN=" when passing it through the Set-WACCertificateSubjectName and Set-WACCertificateAcl commands

nwwt

Copper Contributor

Dec 30, 2024

Unfortunately this doesn't seem to work anymore with v2410.

It just yields "connection refused."

jhbenavides

Copper Contributor

Jan 08, 2025

I just upgraded to v2410 and the "connection refused" error is caused due to the service crashing.

This is what I could find in event viewer:

Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException: The requested certificate PWDVANB20001.local could not be found in LocalMachine/My with AllowInvalid setting: False.
   at Microsoft.AspNetCore.Server.Kestrel.Https.CertificateLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, Boolean allowInvalid)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadFromStoreCert(CertificateConfig certInfo)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)
   at Microsoft.AspNetCore.Server.Kestrel.Core.TlsConfigurationLoader.ApplyHttpsConfiguration(HttpsConnectionAdapterOptions httpsOptions, EndpointConfig endpoint, KestrelServerOptions serverOptions, CertificateConfig defaultCertificateConfig, ConfigurationReader configurationReader)
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.LoadInternal()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>b__15_1(IHostedService service, CancellationToken token)
   at Microsoft.Extensions.Hosting.Internal.Host.ForeachService[T](IEnumerable`1 services, CancellationToken token, Boolean concurrent, Boolean abortOnFirstException, List`1 exceptions, Func`3 operation)
   at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
   at Microsoft.WindowsAdminCenter.Core.HostingRuntime.StartAsync(CancellationToken cancellationToken)
   at Microsoft.WindowsAdminCenter.Executable.WindowsService.OnStart(String[] args)
   at System.Threading.Tasks.Task.<>c.<ThrowAsync>b__128_1(Object state)
   at System.Threading.ThreadPoolWorkQueue.Dispatch()
   at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()

I have tried this approach with several Certificates:

Self Signed
No self-signed, certificate (official)
.cert, .pfx (pwd and no pwd), and p12

No luck making this work

Tim_Boughen

Copper Contributor

Aug 01, 2023

awesome job, have a few servers so I used variables for IP/HostName

# Create a root certificate authority and specify the IP Address and DNS Hostname
# The certificate is valid for 20 years
$myIP = "192.168.0.0"
$myHostName = "hostname"

$rootCert = New-SelfSignedCertificate `
-CertStoreLocation Cert:\CurrentUser\My `
-Subject "Root CA For Windows Admin Center - $myHostName" `
-TextExtension @("2.5.29.19={text}CA=true","2.5.29.17={text}IPAddress=$($myIP)&DNS=$($myHostName)") `
-KeyUsage CertSign,CrlSign,DigitalSignature `
-NotAfter (Get-Date).AddYears(20)

# Password protect and export the root certificate authority to be imported on the target machine (client)
[System.Security.SecureString]$rootCertPassword = ConvertTo-SecureString -String "password" -Force -AsPlainText
[String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($rootCert.Thumbprint)"
Export-Certificate -Cert $rootCertPath -FilePath "RootCA_$($myHostName).crt"

# Create a self signed client certificate and specify the IP Address and DNS Hostname
# Certificate is valid for 10 years
$testCert = New-SelfSignedCertificate `
-CertStoreLocation Cert:\LocalMachine\My `
-Subject "Windows Admin Center - $myHostName - (Self-Signed)" `
-TextExtension @("2.5.29.17={text}IPAddress=$($myIP)&DNS=$($myHostName)") `
-KeyExportPolicy Exportable `
-KeyLength 2048 `
-NotAfter (Get-Date).AddYears(10) `
-KeyUsage DigitalSignature,KeyEncipherment `
-Signer $rootCert

# Add the certificate to the certificate store and export it
[String]$testCertPath = Join-Path -Path 'cert:\LocalMachine\My\' -ChildPath "$($testCert.Thumbprint)"
# Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password $rootCertPassword
Export-Certificate -Cert $testCertPath -FilePath "clientcert_$($myHostName).crt"

Jeff Woolslayer
Microsoft
Apr 06, 2020
To update the certificate used by Windows Admin Center, re-run the installer and choose

change, then specify the thumbnail of another installed certificate.

Updating the certificate used by Windows Admin Center
- tlyczko2
  Copper Contributor
  Apr 07, 2020
  I will try this -- make a new local self-signed cert then change it to that etc. with the new thumbprint, thank you for telling me about this!! 🙂
- Mathieu Desjardins
  Copper Contributor
  Apr 07, 2020
  Jeff Woolslayer Hi, I have reran the installation and selected the new cert provide by my CA but now I have an issue with the WAC Encryption certificate because the other certificate in the chain is not valid anymore.
  The WAC certificate that was self-signed and put into Intermediate Certification Authorities store is expired (was only valid for 3 month).
  How can I update that chain?
  - Jeff Woolslayer
    Microsoft
    Apr 07, 2020
    The encryption certificate is generated using the certificate you specify in the installer. If you can reproduce this 100% please share the exact steps.

# 19.04.2023\n# Create a root certificate authority and specify the IP Address and DNS Hostname\n# The certificate is valid for 20 years\n\n$rootCert = New-SelfSignedCertificate -CertStoreLocation Cert:\\CurrentUser\\My -Subject \"Root CA For Windows Admin Center\" -TextExtension @(\"2.5.29.19={text}CA=true\",\"2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>\") -KeyUsage CertSign,CrlSign,DigitalSignature -NotAfter (Get-Date).AddYears(20)\n\n# Password protect and export the root certificate authority to be imported on the target machine (client)\n[System.Security.SecureString]$rootCertPassword = ConvertTo-SecureString -String \"password\" -Force -AsPlainText\n[String]$rootCertPath = Join-Path -Path 'cert:\\CurrentUser\\My\\' -ChildPath \"$($rootCert.Thumbprint)\"\nExport-Certificate -Cert $rootCertPath -FilePath 'RootCA.crt'\n\n# Create a self signed client certificate and specify the IP Address and DNS Hostname\n# Certificate is valid for 10 years\n$testCert = New-SelfSignedCertificate -CertStoreLocation Cert:\\LocalMachine\\My -Subject \"Windows Admin Center (Self-Signed)\" -TextExtension @(\"2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>\") -KeyExportPolicy Exportable -KeyLength 2048 -NotAfter (Get-Date).AddYears(10) -KeyUsage DigitalSignature,KeyEncipherment -Signer $rootCert\n\n# Add the certificate to the certificate store and export it\n[String]$testCertPath = Join-Path -Path 'cert:\\LocalMachine\\My\\' -ChildPath \"$($testCert.Thumbprint)\"\n# Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password $rootCertPassword\nExport-Certificate -Cert $testCertPath -FilePath testcert.crt

Description: The process was terminated due to an unhandled exception.\nException Info: System.InvalidOperationException: The requested certificate PWDVANB20001.local could not be found in LocalMachine/My with AllowInvalid setting: False.\n at Microsoft.AspNetCore.Server.Kestrel.Https.CertificateLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, Boolean allowInvalid)\n at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadFromStoreCert(CertificateConfig certInfo)\n at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)\n at Microsoft.AspNetCore.Server.Kestrel.Core.TlsConfigurationLoader.ApplyHttpsConfiguration(HttpsConnectionAdapterOptions httpsOptions, EndpointConfig endpoint, KestrelServerOptions serverOptions, CertificateConfig defaultCertificateConfig, ConfigurationReader configurationReader)\n at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()\n at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.LoadInternal()\n at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)\n at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)\n at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)\n at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>b__15_1(IHostedService service, CancellationToken token)\n at Microsoft.Extensions.Hosting.Internal.Host.ForeachService[T](IEnumerable`1 services, CancellationToken token, Boolean concurrent, Boolean abortOnFirstException, List`1 exceptions, Func`3 operation)\n at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)\n at Microsoft.WindowsAdminCenter.Core.HostingRuntime.StartAsync(CancellationToken cancellationToken)\n at Microsoft.WindowsAdminCenter.Executable.WindowsService.OnStart(String[] args)\n at System.Threading.Tasks.Task.<>c.<ThrowAsync>b__128_1(Object state)\n at System.Threading.ThreadPoolWorkQueue.Dispatch()\n at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()

# Create a root certificate authority and specify the IP Address and DNS Hostname\n# The certificate is valid for 20 years\n$myIP = \"192.168.0.0\"\n$myHostName = \"hostname\"\n\n$rootCert = New-SelfSignedCertificate `\n-CertStoreLocation Cert:\\CurrentUser\\My `\n-Subject \"Root CA For Windows Admin Center - $myHostName\" `\n-TextExtension @(\"2.5.29.19={text}CA=true\",\"2.5.29.17={text}IPAddress=$($myIP)&DNS=$($myHostName)\") `\n-KeyUsage CertSign,CrlSign,DigitalSignature `\n-NotAfter (Get-Date).AddYears(20)\n\n# Password protect and export the root certificate authority to be imported on the target machine (client)\n[System.Security.SecureString]$rootCertPassword = ConvertTo-SecureString -String \"password\" -Force -AsPlainText\n[String]$rootCertPath = Join-Path -Path 'cert:\\CurrentUser\\My\\' -ChildPath \"$($rootCert.Thumbprint)\"\nExport-Certificate -Cert $rootCertPath -FilePath \"RootCA_$($myHostName).crt\"\n\n# Create a self signed client certificate and specify the IP Address and DNS Hostname\n# Certificate is valid for 10 years\n$testCert = New-SelfSignedCertificate `\n-CertStoreLocation Cert:\\LocalMachine\\My `\n-Subject \"Windows Admin Center - $myHostName - (Self-Signed)\" `\n-TextExtension @(\"2.5.29.17={text}IPAddress=$($myIP)&DNS=$($myHostName)\") `\n-KeyExportPolicy Exportable `\n-KeyLength 2048 `\n-NotAfter (Get-Date).AddYears(10) `\n-KeyUsage DigitalSignature,KeyEncipherment `\n-Signer $rootCert\n\n# Add the certificate to the certificate store and export it\n[String]$testCertPath = Join-Path -Path 'cert:\\LocalMachine\\My\\' -ChildPath \"$($testCert.Thumbprint)\"\n# Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password $rootCertPassword\nExport-Certificate -Cert $testCertPath -FilePath \"clientcert_$($myHostName).crt\"

Forum Discussion

How do I create a new certificate for Windows Admin Center??

24 Replies

Resources