WinRm - Cannot create a WinRM listener on HTTPS due to incorrect SSL certificate

4

I want to use WinRM with https transport. I've bought a Comodo certificate (the error states I cannot use a self-signed certificate) with the Subject matching my FQDN (Full computer name in System) of my Windows 10 computer (not domain joined):

CN = my.domain.net 
OU = PositiveSSL 
OU = Domain Control Validated

When trying to create a https listener with the following command:

WintRm quickconfig -transport:https

I get the error message:

Error number: -2144108267 0x80338115 Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

I've installed (doubleclick the *.crt file) the certificate in several stores (local machine / personal and Trusted Root Certification Authorities) but WinRM fails to create the https listener. The http listener is working OK.

Some extra info: When using certreq to try to install the *.cer certificate, I get the error:

Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)

How do I get WinRM working with https?

ssl
https
ssl-certificate
winrm
certreq
asked on Stack Overflow Jan 27, 2017 by RHAD • edited Nov 4, 2017 by RichVel

1 Answer

7

Here is how I solved this issue:

  • create a SSL CSR using DigiCert Certificate Utility for Windows from digicert.com
  • use the generate CSR to request a certificate. I used versio.nl but I'll guess there are a lot of CA's out there
  • Install the certificate by double clicking it
  • go to the certificate manager for user
  • rightclick the certificate (it should me in the personal store) and export it - follow the wizard and be sure to export the private key
  • install the newly exported certificate (mark the key as exportable and include all extended properties) in the local computer certificate store

Open an console (cmd) with administrator privilidges and type:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname="server.fqdn";CertificateThumbprint="YOURCERTIFICATETHUMPPRINT"}

This worked for me. Some things to check if it is not working:

  1. is the certificate still valid (check the date range)
  2. check if the certificate property 'Subject" has a CN value with the FQDN of your computer
  3. check if the listener is installed (winrm e winrm/config/listener)

I took me a lot of hours to figure this out. I hope it will help some of you out there.

answered on Stack Overflow Jan 30, 2017 by RHAD • edited Jan 30, 2017 by RHAD

User contributions licensed under CC BY-SA 3.0