Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE

How do I create a new certificate for Windows Admin Center??

Copper Contributor

I just now observed that our internal WAC certificate was only two months old and it's already expired. Can I simply create and use our own self-signed certificate and use it?? Do I install it like normal certificates within the Certificates MMC and WAC will automagically use it??

Thank you, Tom

13 Replies

To update the certificate used by Windows Admin Center, re-run the installer and choose 

change, then specify the thumbnail of another installed certificate.

 

Updating the certificate used by Windows Admin Center

@Jeff Woolslayer Hi, I have reran the installation and selected the new cert provide by my CA but now I have an issue with the WAC Encryption certificate because the other certificate in the chain is not valid anymore. 

The WAC certificate that was self-signed and put into Intermediate Certification Authorities store is expired (was only valid for 3 month).

How can I update that chain?

The encryption certificate is generated using the certificate you specify in the installer. If you can reproduce this 100% please share the exact steps.

I will try this -- make a new local self-signed cert then change it to that etc. with the new thumbprint, thank you for telling me about this!! :)

Did you ever get the full steps to create a useful certificate Windows Admin Center can use? I'm having similar issues. I have a CA but the certs I create won't work like the original self signed cert @Jeff Woolslayer 

@ClenJ 

to import a wildcard cert i had purchased i needed to do two things.

1 make a PFX

2 import it

 

I had server core so this was um, fun.

for 1

i used winget to install opensll on my local machine

i used wget to get the latest admin center MSI inside server core via rdp

then ran

 

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

 

where certificate.pfx is the new pfx, -inkey is the private key used for the csr and -in is the wildcard cert issued  and certfile is the cert of the CA.

 

then i imported into localmachine\my using admin center

 

however i cannot get admin center msi command to work with the new thumbprint, all an MSI log gives me is this, i don't think MS actually cares about admin center - if they did one could import key and cert from UI or define via two params - just like i can in most linux apps.... the server team is a shadow of its former self unfortunately as folks only have eyes for azure...

 

Action ended 17:10:06: ExecuteAction. Return value 3.
MSI (c) (A0:58) [17:10:06:078]: Doing action: FatalError
Action 17:10:06: FatalError.
Action start 17:10:06: FatalError.
Action 17:10:06: FatalError. Dialog created

 

in quite mode I get more info, seems to be a 1603 issue - MSI installation error 1603 - Windows Server | Microsoft Docs i don't have time to dig deeper, i switched to firefox from edge so i can bypass the cert issue, stupid MS.

 

If you can get the thumbprint reconfigure working let me know!

Seems to my Microsoft just ignore us. It's very basic thing and no solution how to change built-in certificate in WAC.
My method of changing is bellow.

1. Get thumbprint for a new certificate:
Powershell: ls cert:\LocalMachine\my

2. Show config:
CMD: netsh http show sslcert
Write down "Application ID"

3. Delete existing config:
netsh http delete sslcert ipport=0.0.0.0:443

4. bind new cert:
netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint_40_characters appid={Application ID}

5. Restart "Windows Admin Center" service
net stop ServerManagementGateway && net start ServerManagementGateway

Done!

@thegluck 

 

Thank you for this! I've been really frustrated trying to update our SSL certificate before it expired. Trying to just change the application from Programs/Features wasn't working because it kept reverting back to the expiring cert after I closed the installer. Your method finally did the trick. 

@thegluck You are my hero, dude :)

I was desperately looking for a way to change cert WITHOUT having to use the installer, in order to automaticly change the cert whenever we run our cert creation procedure - and also on demand from within our own website. Thanks a lot for that

@thegluck

 

The Step 4 does not work, it return: "parameter is incorrect"
I use the THUMBPRINT funded at Step 1 corresponding with WAC, the port used by me (4433) and App iD founded at Step 2

Any idea what might be wrong ?

 

@Xperiens 

in powershell, just type in the command netsh 

then http

should have something that looks like  netsh http>

then enter: 

add sslcert ipport=0.0.0.0:443 certhash=thumbprint-from-ssl appid={appid guid}

 

Seem to have cleared up any parameter issue.

I would like to share my experience with WAC as I am using it to administer a Windows Hyper-V Server 2019 (Bare Metal, not domain joined) and to overcome the self-signed certificate issue.

 

Initial information on how to generate the Root Certificate Authority and a client certificate is here - How to: Create Temporary Certificates for Use During Development - WCF | Microsoft Learn

 

Below is the script I adjusted for my usage (The server has an internal static IP address and only a computer name (hostname)):

 

# 19.04.2023
# Create a root certificate authority and specify the IP Address and DNS Hostname
# The certificate is valid for 20 years

$rootCert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject "Root CA For Windows Admin Center" -TextExtension @("2.5.29.19={text}CA=true","2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>") -KeyUsage CertSign,CrlSign,DigitalSignature -NotAfter (Get-Date).AddYears(20)

# Password protect and export the root certificate authority to be imported on the target machine (client)
[System.Security.SecureString]$rootCertPassword = ConvertTo-SecureString -String "password" -Force -AsPlainText
[String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($rootCert.Thumbprint)"
Export-Certificate -Cert $rootCertPath -FilePath 'RootCA.crt'

# Create a self signed client certificate and specify the IP Address and DNS Hostname
# Certificate is valid for 10 years
$testCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "Windows Admin Center (Self-Signed)" -TextExtension @("2.5.29.17={text}IPAddress=<IP Address>&DNS=<Hostname>") -KeyExportPolicy Exportable -KeyLength 2048 -NotAfter (Get-Date).AddYears(10) -KeyUsage DigitalSignature,KeyEncipherment -Signer $rootCert

# Add the certificate to the certificate store and export it
[String]$testCertPath = Join-Path -Path 'cert:\LocalMachine\My\' -ChildPath "$($testCert.Thumbprint)"
# Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password $rootCertPassword
Export-Certificate -Cert $testCertPath -FilePath testcert.crt

 

Afterwards import the RootCA.crt and testcert.crt to the client workstation:

 

certmgr => Personal => All Tasks => Import => testcert.crt 

certmgr => Trusted Root Certification Authorities => All Tasks => Import => RootCA.crt

 

Reconfigure the WAC installation on the server by using the installation MSI and specify the thumbprint from the installed client certificate. To obtain it, either check the certificate store on the server or on the client workstation click on the imported testcert.crt in certmgr and under "Details" copy the value for "Thumbprint"

 

 

 

awesome job, have a few servers so I used variables for IP/HostName

# Create a root certificate authority and specify the IP Address and DNS Hostname
# The certificate is valid for 20 years
$myIP = "192.168.0.0"
$myHostName = "hostname"

$rootCert = New-SelfSignedCertificate `
-CertStoreLocation Cert:\CurrentUser\My `
-Subject "Root CA For Windows Admin Center - $myHostName" `
-TextExtension @("2.5.29.19={text}CA=true","2.5.29.17={text}IPAddress=$($myIP)&DNS=$($myHostName)") `
-KeyUsage CertSign,CrlSign,DigitalSignature `
-NotAfter (Get-Date).AddYears(20)

# Password protect and export the root certificate authority to be imported on the target machine (client)
[System.Security.SecureString]$rootCertPassword = ConvertTo-SecureString -String "password" -Force -AsPlainText
[String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($rootCert.Thumbprint)"
Export-Certificate -Cert $rootCertPath -FilePath "RootCA_$($myHostName).crt"

# Create a self signed client certificate and specify the IP Address and DNS Hostname
# Certificate is valid for 10 years
$testCert = New-SelfSignedCertificate `
-CertStoreLocation Cert:\LocalMachine\My `
-Subject "Windows Admin Center - $myHostName - (Self-Signed)" `
-TextExtension @("2.5.29.17={text}IPAddress=$($myIP)&DNS=$($myHostName)") `
-KeyExportPolicy Exportable `
-KeyLength 2048 `
-NotAfter (Get-Date).AddYears(10) `
-KeyUsage DigitalSignature,KeyEncipherment `
-Signer $rootCert

# Add the certificate to the certificate store and export it
[String]$testCertPath = Join-Path -Path 'cert:\LocalMachine\My\' -ChildPath "$($testCert.Thumbprint)"
# Export-PfxCertificate -Cert $testCertPath -FilePath testcert.pfx -Password $rootCertPassword
Export-Certificate -Cert $testCertPath -FilePath "clientcert_$($myHostName).crt"