Forum Discussion

tlyczko2's avatar
tlyczko2
Copper Contributor
Apr 01, 2020

How do I create a new certificate for Windows Admin Center??

I just now observed that our internal WAC certificate was only two months old and it's already expired. Can I simply create and use our own self-signed certificate and use it?? Do I install it like n...
Kristaps_Esterlins's avatar
Kristaps_Esterlins
Copper Contributor
Apr 19, 2023

I would like to share my experience with WAC as I am using it to administer a Windows Hyper-V Server 2019 (Bare Metal, not domain joined) and to overcome the self-signed certificate issue.

 

Initial information on how to generate the Root Certificate Authority and a client certificate is here - https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-create-temporary-certificates-for-use-during-development

 

Below is the script I adjusted for my usage (The server has an internal static IP address and only a computer name (hostname)):

 

# 19.04.2023
# Create a root certificate authority and specify the IP Address and DNS Hostname
# The certificate is valid for 20 years

$rootCert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject "Root CA For Windows Admin Center" -TextExtension @("2.5.29.19={text}CA=true","2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>") -KeyUsage CertSign,CrlSign,DigitalSignature -NotAfter (Get-Date).AddYears(20)

# Password protect and export the root certificate authority to be imported on the target machine (client)
[System.Security.SecureString]$rootCertPassword = ConvertTo-SecureString -String "password" -Force -AsPlainText
[String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($rootCert.Thumbprint)"
Export-Certificate -Cert $rootCertPath -FilePath 'RootCA.crt'

# Create a self signed client certificate and specify the IP Address and DNS Hostname
# Certificate is valid for 10 years
$testCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "Windows Admin Center (Self-Signed)" -TextExtension @("2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>") -KeyExportPolicy Exportable -KeyLength 2048 -NotAfter (Get-Date).AddYears(10) -KeyUsage DigitalSignature,KeyEncipherment -Signer $rootCert

# Add the certificate to the certificate store and export it
[String]$testCertPath = Join-Path -Path 'cert:\LocalMachine\My\' -ChildPath "$($testCert.Thumbprint)"
# Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password $rootCertPassword
Export-Certificate -Cert $testCertPath -FilePath testcert.crt

 

Afterwards import the RootCA.crt and testcert.crt to the client workstation:

 

certmgr => Personal => All Tasks => Import => testcert.crt 

certmgr => Trusted Root Certification Authorities => All Tasks => Import => RootCA.crt

 

Reconfigure the WAC installation on the server by using the installation MSI and specify the thumbprint from the installed client certificate. To obtain it, either check the certificate store on the server or on the client workstation click on the imported testcert.crt in certmgr and under "Details" copy the value for "Thumbprint"

 

 

 

nwwt's avatar
nwwt
Copper Contributor
Dec 30, 2024

Unfortunately this doesn't seem to work anymore with v2410.

It just yields "connection refused."

  • jhbenavides's avatar
    jhbenavides
    Copper Contributor
    Jan 08, 2025

    I just upgraded to v2410 and the "connection refused" error is caused due to the service crashing.

    This is what I could find in event viewer:

    Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException: The requested certificate PWDVANB20001.local could not be found in LocalMachine/My with AllowInvalid setting: False.
   at Microsoft.AspNetCore.Server.Kestrel.Https.CertificateLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, Boolean allowInvalid)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadFromStoreCert(CertificateConfig certInfo)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)
   at Microsoft.AspNetCore.Server.Kestrel.Core.TlsConfigurationLoader.ApplyHttpsConfiguration(HttpsConnectionAdapterOptions httpsOptions, EndpointConfig endpoint, KestrelServerOptions serverOptions, CertificateConfig defaultCertificateConfig, ConfigurationReader configurationReader)
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.LoadInternal()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>b__15_1(IHostedService service, CancellationToken token)
   at Microsoft.Extensions.Hosting.Internal.Host.ForeachService[T](IEnumerable`1 services, CancellationToken token, Boolean concurrent, Boolean abortOnFirstException, List`1 exceptions, Func`3 operation)
   at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
   at Microsoft.WindowsAdminCenter.Core.HostingRuntime.StartAsync(CancellationToken cancellationToken)
   at Microsoft.WindowsAdminCenter.Executable.WindowsService.OnStart(String[] args)
   at System.Threading.Tasks.Task.<>c.<ThrowAsync>b__128_1(Object state)
   at System.Threading.ThreadPoolWorkQueue.Dispatch()
   at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()


    I have tried this approach with several Certificates:

    • Self Signed
    • No self-signed, certificate (official)
    • .cert, .pfx (pwd and no pwd), and p12

     

    No luck making this work

    • wdorrejo's avatar
      wdorrejo
      Copper Contributor
      Mar 17, 2025

      did you find any solution, last week did a fresh install, and generate new certificate following the DOC of WAC but this break the system, I am using core, so I am having a lot of issue solving this.

    • Amant91's avatar
      Amant91
      Copper Contributor
      Jan 22, 2025

      Can you please help me I was running an older version inorder to do a inplace upgrade I downloaded the latest exe of 2410 v2 got it installed but when I signed in to portal I found everything missing .

      is it normal isn’t it should copy all my configuration details from previous running version please help

    • cjkdwn's avatar
      cjkdwn
      Copper Contributor
      Jan 13, 2025

      Hello, could you please tell me if you have found any solution to this issue? I recently updated to v240 and encountered the exact same problem. When trying to replace the certificate (using all the methods you tried), I get the same error. I also tried tinkering with appsettings.json (as was allowed before) but without success. Which version would you recommend rolling back to if there is currently no solution to this problem?

      • jhbenavides's avatar
        jhbenavides
        Copper Contributor
        Jan 13, 2025

        No luck so far... I'm waiting for official feedback from Microsoft, I am using the self-signed cert until they fix it.

        It sucks but I cannot afford having the operation stopped.

         

        Hopefully MS will provide some feedback soon.

Resources