Strictly speaking, the standard WAC certificate is a self-signed certificate generated during installation. The subject name and issuer are “Windows Admin Center,” and it expires after two months.
Since you normally do not want to live with constant browser warnings, it makes sense to install a proper certificate on the gateway server.
You can prevent users from avoiding the browser warning by connecting to the WAC gateway via an unencrypted connection by activating the following option during setup:
Redirect HTTP traffic (port 80) to HTTPS
In the same dialog, you will also find the option to generate a self-signed certificate. This certificate is then also only valid for 60 days, and, unlike with the explicit call to the PowerShell cmdlet New-SelfSignedCertificate, there is no way of assigning a specific value to any attribute.
As a third option, the setup allows you to enter the thumbprint of a certificate already installed on your computer. If you don’t use this option during setup and start with the default certificate instead, you will not find a menu item in WAC to replace it afterwards.
Change WAC installation for a new certificate ^
Instead, you have to start the setup again by calling the .msi file from which you have installed WAC. The first dialog shows the Change button, which takes you to the dialog of the wizard described above.
If you do not yet have an SSL certificate for WAC, it makes sense to issue one via an internal certificate authority (CA). In the case of Microsoft’s certificate services, you can do this via the MMC-based GUI.
Issuing a certificate via PowerShell or Let’s Encrypt ^
An uncomplicated alternative is the Get-Certificate cmdlet, especially if the WAC gateway is running on Server Core. However, the limitation is that you cannot export the private key of a certificate created with the Get-Certificate cmdlet. Therefore, you have to launch the certificate-signing request from the server on which WAC is running.
If WAC should be accessible from outside the firewall on computers that are not part of the domain, you could get a free certificate via Let’s Encrypt.
Determining the thumbprint ^
The final step is to copy the certificate’s thumbprint into the setup soon after installing it into the local store. PowerShell lets you find out this information quickly and easily.
To do this, change to the appropriate location in the store, using this command:
If you then call:
Get-ChildItem | select Subject, Issuer, ThumbPrint | fl
It will list all certificates, and you may copy the desired thumbprint from the output.