Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WinRm - Cannot create a WinRM listener on HTTPS due to incorrect SSL certificate

I want to use WinRM with https transport. I've bought a Comodo certificate (the error states I cannot use a self-signed certificate) with the Subject matching my FQDN (Full computer name in System) of my Windows 10 computer (not domain joined):

CN = my.domain.net 
OU = PositiveSSL 
OU = Domain Control Validated

When trying to create a https listener with the following command:

WinRm quickconfig -transport:https

I get the error message:

Error number: -2144108267 0x80338115 Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

I've installed (doubleclick the *.crt file) the certificate in several stores (local machine / personal and Trusted Root Certification Authorities) but WinRM fails to create the https listener. The http listener is working OK.

Some extra info: When using certreq to try to install the *.cer certificate, I get the error:

Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)

How do I get WinRM working with https?

like image 537
RHAD Avatar asked Jan 27 '17 09:01

RHAD


1 Answers

Here is how I solved this issue:

  • create a SSL CSR using DigiCert Certificate Utility for Windows from digicert.com
  • use the generate CSR to request a certificate. I used versio.nl but I'll guess there are a lot of CA's out there
  • Install the certificate by double clicking it
  • go to the certificate manager for user
  • rightclick the certificate (it should me in the personal store) and export it - follow the wizard and be sure to export the private key
  • install the newly exported certificate (mark the key as exportable and include all extended properties) in the local computer certificate store

Open an console (cmd) with administrator privilidges and type:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname="server.fqdn";CertificateThumbprint="YOURCERTIFICATETHUMPPRINT"}

This worked for me. Some things to check if it is not working:

  1. is the certificate still valid (check the date range)
  2. check if the certificate property 'Subject" has a CN value with the FQDN of your computer
  3. check if the listener is installed (winrm e winrm/config/listener)

I took me a lot of hours to figure this out. I hope it will help some of you out there.

like image 174
RHAD Avatar answered Sep 28 '22 05:09

RHAD