Forum Discussion
Unable to use a certificate from my Windows CA
I am trying to use my own certificate signed by my CA, instead of the self-signed SSL certificate it offers by default.
In fact, with the self-signed SSL certificate, WAC runs on HTTPS:
However, when I switch to the certificate I have generated in my CA:
When I try to access the link, it returns me:
So if I switch back to self-signed SSL certificate:
The WAC console is working properly again:
What I doing wrong when I generate that certificate?
1 Reply
Windows Admin Center will not start when you switch to the CA-issued certificate because the certificate is missing one or more attributes that WAC requires for HTTPS binding. Even if the certificate looks valid in MMC, WAC will reject it if any of these conditions are not met.
- The certificate must include a valid Subject Alternative Name (SAN).
WAC does not use the CN for HTTPS. If the certificate only contains a CN and no SAN, the service will fail to bind the port and the browser will show “Can’t reach this page”.
The SAN must include the FQDN you use to access WAC and optionally the server hostname. - The certificate must include the Server Authentication Enhanced Key Usage.
The required EKU is: Server Authentication (1.3.6.1.5.5.7.3.1).
If the EKU is missing or altered in the template, WAC will not load. - The certificate must contain a private key and be stored under LocalMachine\My.
You can verify this with PowerShell using:
Get-ChildItem Cert:\LocalMachine\My
If HasPrivateKey is false, WAC cannot use the certificate. - The certificate template must be a proper Web Server template.
The template must allow a private key, key encipherment, and SAN in the request.
If auto-enrollment forces a subject name and prevents SAN, the certificate becomes unusable for WAC. - After installing the certificate, rebind it using Set-WACCertificate.
Example:
Set-WACCertificate -Thumbprint "YOUR_THUMBPRINT"
Restart-Service WindowsAdminCenter
If WAC still cannot start, it means SAN or EKU is wrong.
Why the self-signed certificate works:
The default self-signed WAC certificate includes SAN, correct EKU, key usage, and a private key.
Your CA-issued certificate is missing at least one of those fields, most commonly the SAN extension.How to fix it:
Generate a new certificate request that includes:- SAN entries for your WAC hostname and FQDN
- EKU: Server Authentication
- Private key
Submit this request to the CA using a Web Server template, import it into LocalMachine\My, then bind it with Set-WACCertificate.
1. Create a new certificate request with SAN:
Request file (INF):
[Version]
Signature="$Windows NT$"[NewRequest]
Subject = "CN=servername.domain.com"
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
KeyUsage = 0xA0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=servername.domain.com&"
_continue_ = "DNS=servername"[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.12. Submit and approve it in the CA:
certreq -new wac.inf wac.req
certreq -submit wac.req wac.cer
certreq -accept wac.cer3. Bind the certificate to WAC
Set-WACCertificate -Thumbprint "THUMBPRINT"
Restart-Service WindowsAdminCenter- The certificate must include a valid Subject Alternative Name (SAN).
