Forum Discussion

rmoat's avatar
rmoat
Brass Contributor
Jan 27, 2025
Solved

Windows Admin Center v2.4 will not use SAN Cert

Hello, We've noticed an issue with the new Windows Admin Center Modernized Gateway (v2.4) and SAN certificates, at least in our environment. All of our servers get an autoenroll computer certificate...
  • luchete's avatar
    luchete
    Jan 29, 2025

    No problem rmoat!

    Unfortunately it seems there is not much option than wait that the next build brought back the ability to update the certificates again. For now would you mind to leave the thread as resolved?

    Regards!

luchete's avatar
luchete
Iron Contributor
Jan 28, 2025

Hi rmoat !

Seems like you're dealing with a compatibility issue. This might be caused by the way WAC is handling certificate bindings. You can try a couple of things: first, make sure the SAN certificate is properly installed and has all necessary permissions for WAC to use it. If the certificate is in the correct store but still not working, you could try manually binding it through PowerShell with New-WebBinding to see if WAC will accept it that way.

Hope it helps!

  • rmoat's avatar
    rmoat
    Brass Contributor
    Jan 29, 2025

    Thank you luchete.

    Yeah, the SAN cert(s) were installed in the "Personal" store. It looks like the New-WebBinding cmdlets don't exist, and I'm guessing they are only installed if IIS is installed. Unfortunately, WAC v2 doesn't use IIS anymore.

    I tried to generate many different certificates, with various certificate templates. Even one that was similar to the Computer AutoEnroll certificate template, but I just manually fill in the Common Name and DNS (Subject Alternative Name), and both use nearly all of the same cert template settings, and all I get is the "Connection Closed" error when trying to access the website.

    Since this will be used internal only, it's not really that big of a deal. It would be nice if the next build brought back the ability to update the certificate within the actual website itself, instead of running the installer each time or using the Set-WacCertificateSubjectName -Thumbprint <certificate thumbprint>.

    • PatAbbott's avatar
      PatAbbott
      Copper Contributor
      Jan 30, 2025

      are you matching common and DNS SAN with the same FQDN? I ask because its working in my environment, also if you are using something other than the hostname, you need to run the installer as custom.

      • rmoat's avatar
        rmoat
        Brass Contributor
        Mar 26, 2025

        PatAbbottI am not sure how I missed this. Yeah, the SAN cert is matched between common and DNS SAN (alternative). It seems that the autoenroll certificate the server gets is the issue but not sure why. If the autoenrolled server certificate is present on the server, Admin Center will only use that certificate and won't use any other certificate, even when assigning it to another certificate using "custom".

        We prevented that server from getting an autoenroll cert as a test, and we can use a different SAN cert. Not quite sure what's going on.

    • luchete's avatar
      luchete
      Iron Contributor
      Jan 29, 2025

      No problem rmoat!

      Unfortunately it seems there is not much option than wait that the next build brought back the ability to update the certificates again. For now would you mind to leave the thread as resolved?

      Regards!

Resources