Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WinRm - Cannot create a WinRM listener on HTTPS due to incorrect SSL certificate

Tags:

https

ssl

ssl-certificate

winrm

certreq

I want to use WinRM with https transport. I've bought a Comodo certificate (the error states I cannot use a self-signed certificate) with the Subject matching my FQDN (Full computer name in System) of my Windows 10 computer (not domain joined):

CN = my.domain.net 
OU = PositiveSSL 
OU = Domain Control Validated

When trying to create a https listener with the following command:

WinRm quickconfig -transport:https

I get the error message:

Error number: -2144108267 0x80338115 Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

I've installed (doubleclick the *.crt file) the certificate in several stores (local machine / personal and Trusted Root Certification Authorities) but WinRM fails to create the https listener. The http listener is working OK.

Some extra info: When using certreq to try to install the *.cer certificate, I get the error:

Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)

How do I get WinRM working with https?

like image 537
RHAD Avatar asked Jan 27 '17 09:01

RHAD

1 Answers

Here is how I solved this issue:

  • create a SSL CSR using DigiCert Certificate Utility for Windows from digicert.com
  • use the generate CSR to request a certificate. I used versio.nl but I'll guess there are a lot of CA's out there
  • Install the certificate by double clicking it
  • go to the certificate manager for user
  • rightclick the certificate (it should me in the personal store) and export it - follow the wizard and be sure to export the private key
  • install the newly exported certificate (mark the key as exportable and include all extended properties) in the local computer certificate store

Open an console (cmd) with administrator privilidges and type:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname="server.fqdn";CertificateThumbprint="YOURCERTIFICATETHUMPPRINT"}

This worked for me. Some things to check if it is not working:

  1. is the certificate still valid (check the date range)
  2. check if the certificate property 'Subject" has a CN value with the FQDN of your computer
  3. check if the listener is installed (winrm e winrm/config/listener)

I took me a lot of hours to figure this out. I hope it will help some of you out there.

like image 174
RHAD Avatar answered Sep 28 '22 05:09

RHAD
Sign in to Comment

Related questions

What is the purpose of SSL/TLS renegotiation?
Install Wildcard SSL Certificate on AWS Elastic Beanstalk
Https with TLS 1.2 in Xamarin
Need to access Google Custom search api through R
SSLHandshakeException: Received fatal alert: handshake_failure after Java 6 -> 8 upgrade
W3C validator and HTTPS
Let's Encrypt certificate on modulus.io
Mosquitto certificate SSL23_GET_CLIENT_HELLO:unknown protocol
SSL: 400 no required certificate was sent
libcurl does not support HTTPS
Change base domain name for Lets Encrypt SSL certificate
SolrCloud with SSL and Basic Authentication
Session vs ssl session
Can I sign an X509 certificate entirely in Python?
HTTP SSL with GoDaddy's certificate - This server's certificate chain is incomplete
Node.js https pem error: error:0906D06C:PEM routines:PEM_read_bio:no start line
502 proxy Error [error reading from remote server]
Celery - RabbitMQ as a Service - Broker Secure Connection (TSL/SSL) - Message Signing
Can we avoid spring boot application restart, to refresh the certificates associated with its embedded tomcat container?
Creating SSL Certs For google app engine Using ZeroSSL And Let's Encrypt

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!