Forum Discussion

PAM77's avatar
PAM77
Copper Contributor
Feb 26, 2026

WAC can connect to itself or to other servers.

Hello,

I have installed WAC with an internal certificate of my company. I can login to the web, the certificate appears correct in the browser.

When I try to connect to the gateway itself or to other servers.

No connection could be made because the target machine actively refused it:

servergw.domain.com:6601

 

On event viewer: Event Winrest:

Hosting failed to start

Exception:

System.InvalidOperationException: The requested certificate E=email address removed for privacy reasons could not be found in LocalMachine/My with AllowInvalid setting: False.

 

The certificate is correct like other from company that used in other services, It has private key, and server authentication:

 

E = email address removed for privacy reasons

CN = email address removed for privacy reasons

OU = company

O = company bla bla

L = City

S = City

C = Country

 

I tried to create with other SAN:

DNS=servergw.domain.com

DNS=servergw

DNS=localhost

 

I have also tried to give permissions to the private key to Network Service, change the service to run with Local System.

WinRM and trusted hosts are correctly.

It only works when I install it with the self-signed certificate that WAC creates and it will say 60 days.

 

What else can I try?

 

Thanks !!

 

3 Replies

  • PAM77's avatar
    PAM77
    Copper Contributor
    Mar 06, 2026

    I created a new certificate with only the CN in the subject field, and now it works fine.

    However, I don't understand why the application is unable to detect the CN. Certificates normally have more data in the subject field and work in the applications we use.

    Thank you and best regards.

  • Francisco_M's avatar
    Francisco_M
    Brass Contributor
    Mar 02, 2026

    The certificate’s Subject Name does not match what WAC is configured to use

    WAC binds to the certificate using Subject Name, not SAN.

    If your certificate’s subject is an email address (as in your example), WAC will not match it.

    Example of your subject:

    E=email address removed for privacy reasons CN=email address removed for privacy reasons

    This is not valid for a WAC gateway certificate.

    WAC requires:

    CN=servergw.domain.com

    Even if SAN contains DNS names, WAC still matches on Subject Name, not SAN.


    Reissue the certificate with:

    • CN = servergw.domain.com
    • SAN = servergw.domain.com, servergw, etc.

    Then run:

    Import-Module "$env:ProgramFiles\WindowsAdminCenter\PowerShellModules\Microsoft.WindowsAdminCenter.Configuration" Set-WACCertificateSubjectName -SubjectName "servergw.domain.com"

    • PAM77's avatar
      PAM77
      Copper Contributor
      Mar 03, 2026

      Yes, I created another certificate with only the CN in the subject, and it works correctly now.
      On the other hand, I don't understand why it can't detect the CN even though there are more fields in the subject. 
      All our certificates are the same, and they are configured on web servers without any problems.

       

      Thanks for the help :)