Forum Discussion

Copper Contributor

Apr 01, 2020

How do I create a new certificate for Windows Admin Center??

I just now observed that our internal WAC certificate was only two months old and it's already expired. Can I simply create and use our own self-signed certificate and use it?? Do I install it like n...

alexbal

Brass Contributor

Mar 23, 2022

ClenJ

to import a wildcard cert i had purchased i needed to do two things.

1 make a PFX

2 import it

I had server core so this was um, fun.

for 1

i used winget to install opensll on my local machine

i used wget to get the latest admin center MSI inside server core via rdp

then ran

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

where certificate.pfx is the new pfx, -inkey is the private key used for the csr and -in is the wildcard cert issued and certfile is the cert of the CA.

then i imported into localmachine\my using admin center

however i cannot get admin center msi command to work with the new thumbprint, all an MSI log gives me is this, i don't think MS actually cares about admin center - if they did one could import key and cert from UI or define via two params - just like i can in most linux apps.... the server team is a shadow of its former self unfortunately as folks only have eyes for azure...

Action ended 17:10:06: ExecuteAction. Return value 3.
MSI (c) (A0:58) [17:10:06:078]: Doing action: FatalError
Action 17:10:06: FatalError.
Action start 17:10:06: FatalError.
Action 17:10:06: FatalError. Dialog created

in quite mode I get more info, seems to be a 1603 issue - https://docs.microsoft.com/en-us/troubleshoot/windows-server/application-management/msi-installation-error-1603 i don't have time to dig deeper, i switched to firefox from edge so i can bypass the cert issue, stupid MS.

If you can get the thumbprint reconfigure working let me know!

thegluck

Copper Contributor

Apr 02, 2022

Seems to my Microsoft just ignore us. It's very basic thing and no solution how to change built-in certificate in WAC.
My method of changing is bellow.

1. Get thumbprint for a new certificate:
Powershell: ls cert:\LocalMachine\my

2. Show config:
CMD: netsh http show sslcert
Write down "Application ID"

3. Delete existing config:
netsh http delete sslcert ipport=0.0.0.0:443

4. bind new cert:
netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint_40_characters appid={Application ID}

5. Restart "Windows Admin Center" service
net stop ServerManagementGateway && net start ServerManagementGateway

Done!

Xperiens
Copper Contributor
Sep 07, 2022
thegluck

The Step 4 does not work, it return: "parameter is incorrect"
I use the THUMBPRINT funded at Step 1 corresponding with WAC, the port used by me (4433) and App iD founded at Step 2
Any idea what might be wrong ?
- dlagatella
  Copper Contributor
  Sep 07, 2022
  Xperiens
  in powershell, just type in the command netsh
  then http
  should have something that looks like netsh http>
  then enter:
  add sslcert ipport=0.0.0.0:443 certhash=thumbprint-from-ssl appid={appid guid}
  
  Seem to have cleared up any parameter issue.
RetoKummer
Copper Contributor
Jul 31, 2022
thegluck You are my hero, dude 🙂
I was desperately looking for a way to change cert WITHOUT having to use the installer, in order to automaticly change the cert whenever we run our cert creation procedure - and also on demand from within our own website. Thanks a lot for that
MrMikeRobertson
Copper Contributor
Jul 21, 2022
thegluck

Thank you for this! I've been really frustrated trying to update our SSL certificate before it expired. Trying to just change the application from Programs/Features wasn't working because it kept reverting back to the expiring cert after I closed the installer. Your method finally did the trick.