Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate cert...

Copper Contributor

When running winrm quickconfig -transport:https I get the error

WinRM service is already running on this machine.
WSManFault
    Message
        ProviderFault
            WSManFault
                Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

Error number:  -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

 This support document lists the following things to check:

  • The date of the computer falls between the Valid from: to the To: date on the General tab.
  • Host name matches the Issued to: on the General tab, or it matches one of the Subject Alternative Name exactly as displayed on the Details tab.
  • That the Enhanced Key Usage on the Details tab contains Server authentication.
  • On the Certification Path tab that the Current Status is This certificate is OK.

All of which look good for the installed certificate. The certificate is installed in the personal container in local certificate managements MMC, is a couple minutes old, when viewing the validity on the server, there appear to be no time zone issues comparing the valid from and to values to the taskbar clock. Both the hostname and FQDN are listed as SANs and the FQDN is the CN. Server authentication is listed as a purpose. And the path shows up as OK.

 

What other reasons could this be failing?

0 Replies