8

I am trying to configure winrm https listener on a windows machine. Earlier i had followed WinRm https listener configuration

The above solution worked for me.

But now i have deleted the listener and want to configure the winrm again using winrm quickconfig -transport:https but i am unable to do it as its throwing error

WSManFault

Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self- signed.

Even deletion of the https listener i am unable to do quick config .i feel there is a need to remove the thumbprint from some place but not sure from where all.

I have gone through one of the links where Jared stated that we need to manually delete the thumbprint: Automatically reconfigure WinRM HTTPS listener

Community
  • 1
visualizer
  • 81
  • 1
  • 1
  • 2
  • I experienced the same error; tried everything mentioned in the below answer and in related articles. The solution for me was to create a new certificate instead of using one of the existing certificates on my server. The existing certificates were all server *and* client authentication, so I only used server auth in my new cert. – SamErde Jan 20 '17 at 20:23

1 Answers1

6

I've made recently HTTPS + WINRM and got exactly the same problems.

The solution is - before invoking command

winrm quickconfig -transport:https

you must do some prerequisite job. to be more specific you must install on the server certificate.

you can look how to do that here - http://blogs.technet.com/b/jhoward/archive/2005/02/02/365323.aspx

to make the long story short:

1 create CA ROOT certificate

cmd> makecert -pe -n "CN=Test And Dev Root Authority" -ss my -sr LocalMachine -a sha1 -sky signature -r "Test And Dev Root Authority.cer"

export it with private key from certificates mmc from host where you invoke makecert and install on the server and client host to certificates.mmc -local machine - Trusted root authorities

2 create ssl certificate

cmd> makecert -pe -n "CN=8.8.8.8" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test And Dev Root Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 8.8.8.8.cer

where CN=8.8.8.8 - must be IP of the server

export the certificate with private key from certificate mmc and import to the server to certificates.mmc - localmachine - personal

ONLY AFTER THAT invoke

winrm quickconfig -transport:https

i hope my spent a coiuple of days trying to figure out how it works will save your couple of days

Jenny D
  • 27,358
  • 21
  • 74
  • 110
Alex
  • 262
  • 3
  • 6
  • Is creating the CA ROOT cert necessary? Is a self-signed cert not enough? – jschmitter Apr 15 '20 at 20:24
  • If you cannot run 'makecert' because you don't have Visual Studio installed on the target machine, please use the powershell command 'New-SelfSignedCertificate' instead (https://www.visualstudiogeeks.com/devops/how-to-configure-winrm-for-https-manually) – Luis Gouveia Apr 28 '20 at 13:43
  • As for CA ROOT question : the certificate wont work without CA ROOT installed. They work only together. always. If you already have CA ROOT on the target computer then you dont need it because you have already have it. – Alex Apr 21 '21 at 17:24