If you install Windows Admin Center (WAC) in gateway mode, the browser should communicate with the server via a secure connection. Despite WAC installing a certificate, it still raises a security warning in the browser. Therefore, you should replace it with your own certificate.

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Strictly speaking, the standard WAC certificate is a self-signed certificate generated during installation. The subject name and issuer are "Windows Admin Center," and it expires after two months.

Since you normally do not want to live with constant browser warnings, it makes sense to install a proper certificate on the gateway server.

WAC's self signed certificate leads to browser warnings

WAC's self signed certificate leads to browser warnings

You can prevent users from avoiding the browser warning by connecting to the WAC gateway via an unencrypted connection by activating the following option during setup:

Redirect HTTP traffic (port 80) to HTTPS

In the same dialog, you will also find the option to generate a self-signed certificate. This certificate is then also only valid for 60 days, and, unlike with the explicit call to the PowerShell cmdlet New-SelfSignedCertificate, there is no way of assigning a specific value to any attribute.

When you install WAC, you can specify your own certificate

When you install WAC, you can specify your own certificate

As a third option, the setup allows you to enter the thumbprint of a certificate already installed on your computer. If you don't use this option during setup and start with the default certificate instead, you will not find a menu item in WAC to replace it afterwards.

Change WAC installation for a new certificate ^

Instead, you have to start the setup again by calling the .msi file from which you have installed WAC. The first dialog shows the Change button, which takes you to the dialog of the wizard described above.

To change the certificate, you have to restart the WAC setup

To change the certificate, you have to restart the WAC setup

If you do not yet have an SSL certificate for WAC, it makes sense to issue one via an internal certificate authority (CA). In the case of Microsoft's certificate services, you can do this via the MMC-based GUI.

Issuing a certificate via PowerShell or Let's Encrypt ^

An uncomplicated alternative is the Get-Certificate cmdlet, especially if the WAC gateway is running on Server Core. However, the limitation is that you cannot export the private key of a certificate created with the Get-Certificate cmdlet. Therefore, you have to launch the certificate-signing request from the server on which WAC is running.

If WAC should be accessible from outside the firewall on computers that are not part of the domain, you could get a free certificate via Let's Encrypt.

Determining the thumbprint ^

The final step is to copy the certificate's thumbprint into the setup soon after installing it into the local store. PowerShell lets you find out this information quickly and easily.

Displaying the thumbprint of the new certificate with PowerShell

Displaying the thumbprint of the new certificate with PowerShell

To do this, change to the appropriate location in the store, using this command:

If you then call:

It will list all certificates, and you may copy the desired thumbprint from the output.

Are you an IT pro? Apply for membership!

2+
Share
2 Comments
  1. Marc 4 weeks ago

    Wolfgang I don't know how you read my mind but I was just looking this information up this morning! Thank you!!

    0

  2. Wolfgang Sommergut 4 weeks ago

    Must have been telepathy 😉

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account