Creating a Certificate for Windows Admin Center from a Windows Certificate Authority
In my 2022-01-12 post I set up Windows Admin Center (WAC) on a gateway server and used a self-signed certificate for it. I also pushed that self-signed certificate out with Group Policy so that other clients could connect to it and see that it is a trusted site. This was a super simple way to set it up and worked just fine. However, it wouldn’t be the best way to do it if we want to keep using WAC or were using WAC in an enterprise environment. I really like the toolsets within WAC so I plan on keeping it around for a while. With that in mind, lets identify and fix some of the negatives about the way we set it up.
1) Our self-signed certificate is only valid for 60 days (this is a limitation that Microsoft has configured within WAC)
2) When we create a new certificate after the 60 day period, we need to push that new certificate out all over again
So, lets reconfigure it. Lets:
1) Create a new certificate template with Windows Active Directory Certificate Services
2) Have the gateway server where WAC resides request a new certificate using that template
3) Configure WAC to use our new certificate (with a two year validity period!)
Step 1 - Create a new certificate with Windows Active Directory Certificate Services
In AD CS, right-click on Certificate Templates and choose Manage
Right-click Web Server and choose Duplicate Template
On the General tab, change the Template display name and Template name to something related to Windows Admin Center. You can also change the validity period here
On the Security tab, change the permissions for Authenticated Users to Full Control. Click OK
Back on the Certificate Templates snap-in, right-click Certificate Templates and choose New -> Certificate Template to Issue. Choose the template that you just created and click OK
Step 2 - Have the gateway server where WAC resides request a new certificate using that template
Your template will now appear in the Certificate Templates section. We can now go back to our WAC gateway server and launch the certlm.msc snap-in there. On our gateway server right-click Certificates in the Personal store and choose All Tasks -> Request New Certificate
The first screen in the Certificate Enrollment window will be to choose the enrollment policy. We can leave it as the default (Active Directory Enrollment Policy) and click Next. The next screen will show us all the certificates that are available to us. We should see our Windows Admin Center template here and also a yellow triangle saying that we need to provide more information in order to enroll a certificate from it. Click the blue text to launch Certificate Properties
In Certificate Properties, on the Subject tab, change the dropdown for Subject name to Common name. Type your gateway server’s hostname and click add. In the Alternative name dropdown choose DNS and type your server’s FQDN (serverName.domain.com). Be sure to click Add to move both values into the right-hand boxes.
On the General tab, type an appropriate name for the certificates friendly name. Click OK
After we click OK we can see that the prompt that we need to provide more information is gone. We can now select our Windows Admin Center certificate and click Enroll. That is it! You should see a sucessful status message and also be able to see your new certificate in our gateway server’s personal certificate store
Now that we have the certificate created, we need to copy the certificate’s thumbprint. Double-click the certificate and go to the details tab. Make sure Show is set to
Step 3 - Configure WAC to use our new certificate
On the gateway server, open Control Panel and click Change. Click Next and then Change. On the Configure Gateway Endpoint screen, select the second option of using an SSL certificate installed on this computer. In the text box paste the thumbprint we got from the previous step. Click Change
Now re-launch Windows Admin Center and check on the certificate. No more renewing every 60 days!