Creating and Distributing a Self-Signed Windows Admin Center certificate
Intro
Today I am going to show you how to renew your Windows Admin Center certificate, as well as how to distribute that certificate with Group Policy. For those that do not know, Windows Admin center is an awesome tool that allows you to manage, configure and troubleshoot Windows servers and PCs. The best part, in my opinion, is that not only is it completely free, but you can run it in a browser window on any PC.
Problem Statement
The issue we are trying to solve today is that while Windows Admin Center works great on our gateway server that we stood up, but any other endpoint accessing this gateway gets a cert error.
Certificate working correctly on local host
Certificate error when connecting to the WAC on another server
Why is this happening?
This is happening because of the way we set up Windows Admin Center. When installing the application we have the option to select an SSL certificate that we (the administrator) provide. This would be the ideal way to configure Windows Admin Center, but it would require us to use a certificate from either a public certificate authority or create one in an internal certificate authority. Now in my lab environment, I don’t want to pay for a public SSL certificate, and I don’t have an internal CA. But I can still solve this problem by using a self-signed certificate and then distributing it to our endpoints with Group Policy.
Self-signed Certificate
First thing we have to do is verify that we have a valid Windows Admin Center self-signed certificate. Now, it would be pretty obvious if we didn’t, as we would be getting a cert error even on our Windows Admin Center gateway. But let’s check our certificate and verify its validity period.
Confirm the certificate is valid
Check certlm.msc for the published Windows Admin Center certificate
Renewing Windows Admin Center Self-signed Certificate
If we do need to renew the certificate, it is super simple. We just need to launch the Windows Admin Center installer and select Change. This will give us the option to change out the certificate or create a new one.
In the installer options, you can create a new certificate or view the thumbprint of the current one
Exporting our Self-signed Certificate
Now that we have verified our certificate is valid, we need to export it so that we can distribute it to our other endpoints that will be using the Windows Admin Center on our gateway server.
Right-click the WAC certificate, under All Tasks, choose Export
On the next screen, choose to export the private key, leave the default format options checked, set a password, and then select a file name/location to export it. Once exported, move it to your domain controller where we will be creating the GPO.
The exported certificate
Creating the Group Policy Object to Distribute the Certificate
Now we need to create the GPO that will push our certificate to our endpoints. First we will connect to one of our domain controllers and open up the Group Policy Management Editor.
Verify our Certificate has been Distributed to our Clients
Now that our GPO is created, we need to verify it has made it to our endpoints. First thing we can do is perform a manual Group Policy update on our client to save some time waiting for a sync. We can then open view our Trust Root Certificate store on the client to verify the Windows Admin Center certificate exists. Lastly, we will launch the Windows Admin Center in the browser and confirm we don’t have any errors.
Right click the OU that will house your GPO and select Create a GPO. I named mine “Client Certificates”
In the Group Policy Editor, look for Trust Root Certificate Authorities
Right-click, choose Import, and browse to your exported WAC certificate Note: You may need to change the file type filter to All Files
Type in the password you chose earlier. Leave everything else as the defaults
Make sure the Trust Root Certificate store is selected
That is it. Click Finish and you will see the certificate show up in the policy you created.
Now to verify what we have done, go to a machine that is in the OU where you applied the GPO. Run GPUpdate /Force to kick off a group policy scan (this is done automatically at a variable time period, but kicking it off manually will save some time). Once the group policy update completes, launch certlm.msc and verify the Windows Admin Center certificate is now showing in the Trusted Root Certificate store.
Open certlm.msc and verifiy the certificate is now there
Lastly, open a web browser on the machine and navigate to your WAC URL. Instead of the certificate warning we got previously, you should get a log-in prompt. Enter your credentials and look at our secure connection!
Look, a padlock instead of a certificate error!
Missed a step? I have a full video on this process linked below.
References:
Microsoft - Updating WAC certificate
Microsoft - Distribute Certificates with Group Policy
Video for the visual learners: Updating and distributing your Windows Admin Center Certificate