WinRm - Cannot create a WinRM listener on HTTPS due to incorrect SSL certificate

Question

I want to use WinRM with https transport. I've bought a Comodo certificate (the error states I cannot use a self-signed certificate) with the Subject matching my FQDN (Full computer name in System) of my Windows 10 computer (not domain joined):

CN = my.domain.net 
OU = PositiveSSL 
OU = Domain Control Validated

When trying to create a https listener with the following command:

WinRm quickconfig -transport:https

I get the error message:

Error number: -2144108267 0x80338115 Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

I've installed (doubleclick the *.crt file) the certificate in several stores (local machine / personal and Trusted Root Certification Authorities) but WinRM fails to create the https listener. The http listener is working OK.

Some extra info: When using certreq to try to install the *.cer certificate, I get the error:

Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)

How do I get WinRM working with https?

Answer 1

Here is how I solved this issue:

• create a SSL CSR using DigiCert Certificate Utility for Windows from digicert.com
• use the generate CSR to request a certificate. I used versio.nl but I'll guess there are a lot of CA's out there
• Install the certificate by double clicking it
• go to the certificate manager for user
• rightclick the certificate (it should me in the personal store) and export it - follow the wizard and be sure to export the private key
• install the newly exported certificate (mark the key as exportable and include all extended properties) in the local computer certificate store

Open an console (cmd) with administrator privilidges and type:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="server.fqdn";CertificateThumbprint="YOURCERTIFICATETHUMPPRINT"}

This worked for me. Some things to check if it is not working:

1. is the certificate still valid (check the date range)
2. check if the certificate property 'Subject" has a CN value with the FQDN of your computer
3. check if the listener is installed (winrm e winrm/config/listener)

I took me a lot of hours to figure this out. I hope it will help some of you out there.

Answer 2

Yeah, I got the same thing, this is a bug in the Microsoft docs, when you run "winrm create -?".

enter image description here

Answer 3

I also experienced this issue - the answer from RHAD was partially helpful, but I needed to use an entirely internally generated CA.

The problem was caused by the Key algorithm I had chosen. Using the same configuration, only changing the key it works:

Failed key: elliptic curve cryptography with the brainpoolP512t1 curve (in the certificate this showed as: Public Key Algorithm: id-ecPublicKey / ASN1 OID: brainpoolP512t1 )

Successful key: an RSA key: (in the certificate: RSA Public-Key: (4096 bit))

Hopefully this helps others with similar issues.