Apr 01 2020 08:44 AM - last edited on Nov 09 2023 11:09 AM by
I just now observed that our internal WAC certificate was only two months old and it's already expired. Can I simply create and use our own self-signed certificate and use it?? Do I install it like normal certificates within the Certificates MMC and WAC will automagically use it??
Thank you, Tom
Apr 06 2020 08:37 AM
To update the certificate used by Windows Admin Center, re-run the installer and choose
change, then specify the thumbnail of another installed certificate.
Apr 07 2020 11:25 AM
@Jeff Woolslayer Hi, I have reran the installation and selected the new cert provide by my CA but now I have an issue with the WAC Encryption certificate because the other certificate in the chain is not valid anymore.
The WAC certificate that was self-signed and put into Intermediate Certification Authorities store is expired (was only valid for 3 month).
How can I update that chain?
Apr 07 2020 11:51 AM
The encryption certificate is generated using the certificate you specify in the installer. If you can reproduce this 100% please share the exact steps.
Apr 07 2020 01:12 PM
Mar 16 2022 12:42 PM
Did you ever get the full steps to create a useful certificate Windows Admin Center can use? I'm having similar issues. I have a CA but the certs I create won't work like the original self signed cert @Jeff Woolslayer
Mar 23 2022 05:20 PM - edited Mar 23 2022 05:26 PM
to import a wildcard cert i had purchased i needed to do two things.
1 make a PFX
2 import it
I had server core so this was um, fun.
for 1
i used winget to install opensll on my local machine
i used wget to get the latest admin center MSI inside server core via rdp
then ran
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
where certificate.pfx is the new pfx, -inkey is the private key used for the csr and -in is the wildcard cert issued and certfile is the cert of the CA.
then i imported into localmachine\my using admin center
however i cannot get admin center msi command to work with the new thumbprint, all an MSI log gives me is this, i don't think MS actually cares about admin center - if they did one could import key and cert from UI or define via two params - just like i can in most linux apps.... the server team is a shadow of its former self unfortunately as folks only have eyes for azure...
Action ended 17:10:06: ExecuteAction. Return value 3.
MSI (c) (A0:58) [17:10:06:078]: Doing action: FatalError
Action 17:10:06: FatalError.
Action start 17:10:06: FatalError.
Action 17:10:06: FatalError. Dialog created
in quite mode I get more info, seems to be a 1603 issue - MSI installation error 1603 - Windows Server | Microsoft Docs i don't have time to dig deeper, i switched to firefox from edge so i can bypass the cert issue, stupid MS.
If you can get the thumbprint reconfigure working let me know!
Apr 02 2022 01:31 AM
Jul 21 2022 06:45 AM
Thank you for this! I've been really frustrated trying to update our SSL certificate before it expired. Trying to just change the application from Programs/Features wasn't working because it kept reverting back to the expiring cert after I closed the installer. Your method finally did the trick.
Jul 31 2022 08:37 PM
@thegluck You are my hero, dude :)
I was desperately looking for a way to change cert WITHOUT having to use the installer, in order to automaticly change the cert whenever we run our cert creation procedure - and also on demand from within our own website. Thanks a lot for that
Sep 07 2022 02:48 AM
The Step 4 does not work, it return: "parameter is incorrect"
I use the THUMBPRINT funded at Step 1 corresponding with WAC, the port used by me (4433) and App iD founded at Step 2
Any idea what might be wrong ?
Sep 07 2022 07:12 AM
in powershell, just type in the command netsh
then http
should have something that looks like netsh http>
then enter:
add sslcert ipport=0.0.0.0:443 certhash=thumbprint-from-ssl appid={appid guid}
Seem to have cleared up any parameter issue.
Apr 19 2023 03:02 AM
I would like to share my experience with WAC as I am using it to administer a Windows Hyper-V Server 2019 (Bare Metal, not domain joined) and to overcome the self-signed certificate issue.
Initial information on how to generate the Root Certificate Authority and a client certificate is here - How to: Create Temporary Certificates for Use During Development - WCF | Microsoft Learn
Below is the script I adjusted for my usage (The server has an internal static IP address and only a computer name (hostname)):
# 19.04.2023
# Create a root certificate authority and specify the IP Address and DNS Hostname
# The certificate is valid for 20 years
$rootCert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject "Root CA For Windows Admin Center" -TextExtension @("2.5.29.19={text}CA=true","2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>") -KeyUsage CertSign,CrlSign,DigitalSignature -NotAfter (Get-Date).AddYears(20)
# Password protect and export the root certificate authority to be imported on the target machine (client)
[System.Security.SecureString]$rootCertPassword = ConvertTo-SecureString -String "password" -Force -AsPlainText
[String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($rootCert.Thumbprint)"
Export-Certificate -Cert $rootCertPath -FilePath 'RootCA.crt'
# Create a self signed client certificate and specify the IP Address and DNS Hostname
# Certificate is valid for 10 years
$testCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "Windows Admin Center (Self-Signed)" -TextExtension @("2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>") -KeyExportPolicy Exportable -KeyLength 2048 -NotAfter (Get-Date).AddYears(10) -KeyUsage DigitalSignature,KeyEncipherment -Signer $rootCert
# Add the certificate to the certificate store and export it
[String]$testCertPath = Join-Path -Path 'cert:\LocalMachine\My\' -ChildPath "$($testCert.Thumbprint)"
# Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password $rootCertPassword
Export-Certificate -Cert $testCertPath -FilePath testcert.crt
Afterwards import the RootCA.crt and testcert.crt to the client workstation:
certmgr => Personal => All Tasks => Import => testcert.crt
certmgr => Trusted Root Certification Authorities => All Tasks => Import => RootCA.crt
Reconfigure the WAC installation on the server by using the installation MSI and specify the thumbprint from the installed client certificate. To obtain it, either check the certificate store on the server or on the client workstation click on the imported testcert.crt in certmgr and under "Details" copy the value for "Thumbprint"
Jul 31 2023 07:08 PM - edited Jul 31 2023 07:10 PM
awesome job, have a few servers so I used variables for IP/HostName
# Create a root certificate authority and specify the IP Address and DNS Hostname
# The certificate is valid for 20 years
$myIP = "192.168.0.0"
$myHostName = "hostname"
$rootCert = New-SelfSignedCertificate `
-CertStoreLocation Cert:\CurrentUser\My `
-Subject "Root CA For Windows Admin Center - $myHostName" `
-TextExtension @("2.5.29.19={text}CA=true","2.5.29.17={text}IPAddress=$($myIP)&DNS=$($myHostName)") `
-KeyUsage CertSign,CrlSign,DigitalSignature `
-NotAfter (Get-Date).AddYears(20)
# Password protect and export the root certificate authority to be imported on the target machine (client)
[System.Security.SecureString]$rootCertPassword = ConvertTo-SecureString -String "password" -Force -AsPlainText
[String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($rootCert.Thumbprint)"
Export-Certificate -Cert $rootCertPath -FilePath "RootCA_$($myHostName).crt"
# Create a self signed client certificate and specify the IP Address and DNS Hostname
# Certificate is valid for 10 years
$testCert = New-SelfSignedCertificate `
-CertStoreLocation Cert:\LocalMachine\My `
-Subject "Windows Admin Center - $myHostName - (Self-Signed)" `
-TextExtension @("2.5.29.17={text}IPAddress=$($myIP)&DNS=$($myHostName)") `
-KeyExportPolicy Exportable `
-KeyLength 2048 `
-NotAfter (Get-Date).AddYears(10) `
-KeyUsage DigitalSignature,KeyEncipherment `
-Signer $rootCert
# Add the certificate to the certificate store and export it
[String]$testCertPath = Join-Path -Path 'cert:\LocalMachine\My\' -ChildPath "$($testCert.Thumbprint)"
# Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password $rootCertPassword
Export-Certificate -Cert $testCertPath -FilePath "clientcert_$($myHostName).crt"