Forum Discussion
Unable to use a certificate from my Windows CA
Windows Admin Center will not start when you switch to the CA-issued certificate because the certificate is missing one or more attributes that WAC requires for HTTPS binding. Even if the certificate looks valid in MMC, WAC will reject it if any of these conditions are not met.
- The certificate must include a valid Subject Alternative Name (SAN).
WAC does not use the CN for HTTPS. If the certificate only contains a CN and no SAN, the service will fail to bind the port and the browser will show “Can’t reach this page”.
The SAN must include the FQDN you use to access WAC and optionally the server hostname. - The certificate must include the Server Authentication Enhanced Key Usage.
The required EKU is: Server Authentication (1.3.6.1.5.5.7.3.1).
If the EKU is missing or altered in the template, WAC will not load. - The certificate must contain a private key and be stored under LocalMachine\My.
You can verify this with PowerShell using:
Get-ChildItem Cert:\LocalMachine\My
If HasPrivateKey is false, WAC cannot use the certificate. - The certificate template must be a proper Web Server template.
The template must allow a private key, key encipherment, and SAN in the request.
If auto-enrollment forces a subject name and prevents SAN, the certificate becomes unusable for WAC. - After installing the certificate, rebind it using Set-WACCertificate.
Example:
Set-WACCertificate -Thumbprint "YOUR_THUMBPRINT"
Restart-Service WindowsAdminCenter
If WAC still cannot start, it means SAN or EKU is wrong.
Why the self-signed certificate works:
The default self-signed WAC certificate includes SAN, correct EKU, key usage, and a private key.
Your CA-issued certificate is missing at least one of those fields, most commonly the SAN extension.
How to fix it:
Generate a new certificate request that includes:
- SAN entries for your WAC hostname and FQDN
- EKU: Server Authentication
- Private key
Submit this request to the CA using a Web Server template, import it into LocalMachine\My, then bind it with Set-WACCertificate.
1. Create a new certificate request with SAN:
Request file (INF):
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=servername.domain.com"
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
KeyUsage = 0xA0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=servername.domain.com&"
_continue_ = "DNS=servername"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
2. Submit and approve it in the CA:
certreq -new wac.inf wac.req
certreq -submit wac.req wac.cer
certreq -accept wac.cer
3. Bind the certificate to WAC
Set-WACCertificate -Thumbprint "THUMBPRINT"
Restart-Service WindowsAdminCenter
First of all, thank you for your reply.
I'll try to answer each of the steps you mentioned.
1. The certificate must include a valid Subject Alternative Name (SAN).
My certificate does have a SAN:
2. The certificate must include the Server Authentication Enhanced Key Usage.
Both certificates have the same Enhanced Key Usage:
3. The certificate must contain a private key and be stored under LocalMachine\My
The certificate does have the HasPrivateKey property as True:
4. The certificate template must be a proper Web Server template.
My certificate is using that template:
Obviously, that template hasn't given me any problem with other certificates I've generated and am using.
Why the self-signed certificate works:
My CA-issued certificate is not missing:
Thank you so much for your help.
