Forum Discussion
Solved
Windows Admin Center v2.4 will not use SAN Cert
Hello,
We've noticed an issue with the new Windows Admin Center Modernized Gateway (v2.4) and SAN certificates, at least in our environment. All of our servers get an autoenroll computer certificate (hostname.domainname.com) -- it only uses a common name, and has no subject alternative names.
For webservers, we generate an additional certificate with subject alternative names, so that web browsers do not report an insecure https website.
Windows Admin Center v2.4 does not seem to work with these certificates. When installing WAC and selecting the correct SAN certificate in the "Custom Setup" or even setting the certificate manually using Set-WACCertificateSubjectName -Thumbprint 'thumbprintofcert' the website will only use the autoenroll certificate.
I deleted the autoenroll certificate from the machine, and tried setting the certificate to the SAN cert and the site will not even load. As soon as I forced a gpupdate /force to get a new autoenroll computer certificate and it will use that one, but never the SAN cert.
Just in case it was the subject name of the cert, I generated a new SAN cert with a completely different name from the autoenroll cert: WAC.domainname.com instead of APP-WAC01.domain.com.
I then used the Set-WACCertificateSubjectName -Thumbprint and verified that it was using the new SAN cert by running Get-WACCertificateSubjectName and it showed that it was using the WAC.domainname.com certificate. Website would not load at all.
So I don't know if it has issues with SAN certs, or anything other than an autoenroll certificate with only a common name, but nothing works. If Windows Admin Center Modernized Gateway still used IIS, we'd be able to get IIS to use the SAN cert like the previous version of Windows Admin Center.
Is this a known issue? Anyone else having issues with SAN certs?
-J
Hi rmoat !
Seems like you're dealing with a compatibility issue. This might be caused by the way WAC is handling certificate bindings. You can try a couple of things: first, make sure the SAN certificate is properly installed and has all necessary permissions for WAC to use it. If the certificate is in the correct store but still not working, you could try manually binding it through PowerShell with New-WebBinding to see if WAC will accept it that way.
Hope it helps!
Thank you luchete.
Yeah, the SAN cert(s) were installed in the "Personal" store. It looks like the New-WebBinding cmdlets don't exist, and I'm guessing they are only installed if IIS is installed. Unfortunately, WAC v2 doesn't use IIS anymore.
I tried to generate many different certificates, with various certificate templates. Even one that was similar to the Computer AutoEnroll certificate template, but I just manually fill in the Common Name and DNS (Subject Alternative Name), and both use nearly all of the same cert template settings, and all I get is the "Connection Closed" error when trying to access the website.
Since this will be used internal only, it's not really that big of a deal. It would be nice if the next build brought back the ability to update the certificate within the actual website itself, instead of running the installer each time or using the Set-WacCertificateSubjectName -Thumbprint <certificate thumbprint>.
are you matching common and DNS SAN with the same FQDN? I ask because its working in my environment, also if you are using something other than the hostname, you need to run the installer as custom.
