How do I create a new certificate for Windows Admin Center??

Occasional Contributor

I just now observed that our internal WAC certificate was only two months old and it's already expired. Can I simply create and use our own self-signed certificate and use it?? Do I install it like normal certificates within the Certificates MMC and WAC will automagically use it??

Thank you, Tom

9 Replies

To update the certificate used by Windows Admin Center, re-run the installer and choose 

change, then specify the thumbnail of another installed certificate.

 

Updating the certificate used by Windows Admin Center

@Jeff Woolslayer Hi, I have reran the installation and selected the new cert provide by my CA but now I have an issue with the WAC Encryption certificate because the other certificate in the chain is not valid anymore. 

The WAC certificate that was self-signed and put into Intermediate Certification Authorities store is expired (was only valid for 3 month).

How can I update that chain?

The encryption certificate is generated using the certificate you specify in the installer. If you can reproduce this 100% please share the exact steps.

I will try this -- make a new local self-signed cert then change it to that etc. with the new thumbprint, thank you for telling me about this!! :)

Did you ever get the full steps to create a useful certificate Windows Admin Center can use? I'm having similar issues. I have a CA but the certs I create won't work like the original self signed cert @Jeff Woolslayer 

@ClenJ 

to import a wildcard cert i had purchased i needed to do two things.

1 make a PFX

2 import it

 

I had server core so this was um, fun.

for 1

i used winget to install opensll on my local machine

i used wget to get the latest admin center MSI inside server core via rdp

then ran

 

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

 

where certificate.pfx is the new pfx, -inkey is the private key used for the csr and -in is the wildcard cert issued  and certfile is the cert of the CA.

 

then i imported into localmachine\my using admin center

 

however i cannot get admin center msi command to work with the new thumbprint, all an MSI log gives me is this, i don't think MS actually cares about admin center - if they did one could import key and cert from UI or define via two params - just like i can in most linux apps.... the server team is a shadow of its former self unfortunately as folks only have eyes for azure...

 

Action ended 17:10:06: ExecuteAction. Return value 3.
MSI (c) (A0:58) [17:10:06:078]: Doing action: FatalError
Action 17:10:06: FatalError.
Action start 17:10:06: FatalError.
Action 17:10:06: FatalError. Dialog created

 

in quite mode I get more info, seems to be a 1603 issue - MSI installation error 1603 - Windows Server | Microsoft Docs i don't have time to dig deeper, i switched to firefox from edge so i can bypass the cert issue, stupid MS.

 

If you can get the thumbprint reconfigure working let me know!

Seems to my Microsoft just ignore us. It's very basic thing and no solution how to change built-in certificate in WAC.
My method of changing is bellow.

1. Get thumbprint for a new certificate:
Powershell: ls cert:\LocalMachine\my

2. Show config:
CMD: netsh http show sslcert
Write down "Application ID"

3. Delete existing config:
netsh http delete sslcert ipport=0.0.0.0:443

4. bind new cert:
netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint_40_characters appid={Application ID}

5. Restart "Windows Admin Center" service
net stop ServerManagementGateway && net start ServerManagementGateway

Done!

@thegluck 

 

Thank you for this! I've been really frustrated trying to update our SSL certificate before it expired. Trying to just change the application from Programs/Features wasn't working because it kept reverting back to the expiring cert after I closed the installer. Your method finally did the trick. 

@thegluck You are my hero, dude :)

I was desperately looking for a way to change cert WITHOUT having to use the installer, in order to automaticly change the cert whenever we run our cert creation procedure - and also on demand from within our own website. Thanks a lot for that