Сертификат для windows admin center — Ваш верный помощник с OS Windows

CA, Certificate, Certificates, Free, Home Lab, Home Lab Ideas, How To, HTTPS, i12bretro, Microsoft, PKI, Private Key Infrastructure, Public Key Infrastructure, Remote Management, Self-Signed HTTPS, Self-Signed PKI, Self-Signed SSL, Server Administration, SSL, SSL Certificates, System Administration, Tutorial, WAC, Web Based Tools, Web Based Utilities, Windows, Windows Admin Center, X Certificate Key Manager, XCA

February 9, 2023

2 Minutes

View interactive steps on GitHub

Prerequisites

A XCA PKI database https://youtu.be/ezzj3x207lQ

Create Your SSL Certificate

Launch XCA
Open the PKI database if it is not already (File > Open DataBase), enter password
Click on the Certificates tab, right click on your Intermediate CA certificate
Select New
On the Source tab, make sure Use this Certificate for signing is selected
Verify your Intermediate CA certificate is selected from the drop down
Click the Subject tab
Complete the Distinguished Name section
internalName: i12bretrodc.i12bretro.local
countryName: US
stateOrProvinceName: Virginia
localityName: Northern
organizationName: i12bretro
organizationUnitName: i12bretro Certificate Authority
commonName: i12bretrodc.i12bretro.local
Click the Generate a New Key button
Enter a name and set the key size to at least 2048
Click Create
Click on the Extensions tab
Select End Entity from the type list
Click Edit next to Subject Alternative Name
Add any DNS or IP addresses that the certificate will identify
Update the validity dates to fit your needs
Click the Key Usage tab
Under Key Usage select Digital Signature, Key Encipherment
Under Extended Key Usage select Web Server and Web Client Authentication
Click the Netscape tab
Select SSL Server
Click OK to create the certificate

Exporting the Certificate

In XCA, click on the Certificates tab
Right click the SSL certificate > Export > File
Set the file name with a .p12 extension and verify the export format is PKCS #12 (*.p12)
Enter a password to protect the .p12 export

Importing Certificate Into Windows Certificate Store

Right click the Start Button > Run
Type mmc.exe, press enter
Click File > Add/Remove Snap-in…
Click Certificates
Click Add
Select Computer account
Click Next
Select Local computer
Click Finish
Click OK
Expand Certificates
Right click the Personal folder > All Tasks > Import….
Click Next
Click Browse > Select the exported SSL .p12 file > Click Next
Enter the password created for the .p12 export
Verify Include all extended properties is checked
Click Next
Click Next
Click Finish
Double click the newly imported certificate
Select the Details tab > Scrool to the bottom of the details pane
Click the thumbprint line item
Copy the thumbprint value in the lower pane to the clipboard

Download Windows Admin Center Download
Run the downloaded .msi
If WAC is already installed, click the change button
Select the Use an SSL certificate installed on this computer option
Paste in the thumbprint copied from the imported certificate
Click Change to apply the changes

Published
February 9, 2023

Источник

This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage.

Prerequisites:

Some linux based environment

Links that might be useful in this case:

Setting up WSL2 (Windows Subsytem for Linux) on Windows 10

Anyone who has been using the Windows Admin Center for longer than 60 days will probably run into a certificate problem. The latest browser from Microsft, called Edge, will then no longer allow access to the WAC portal at all.

1) Scenario 1 — Local WAC Installation

The easiest way to get a new certificate is to initiate a repair installation. Enclosed are the necessary steps, if you have a local WAC — installation.

You could also use a separately created certificate at this point by providing its Thumprint ID to perform the necessary reassignment.

2) Scenario 2 — WAC — Gateway Installation

In order to avoid getting an expired certificate again in 60 days, I create myself a certificate which is valid for 10 years.

For this I switch to my Linux environment. In my case a WSL installation based on Ubuntu.

# Creating a cert - folder
mkdir certs

# Changing Directory
cd certs

# Generating the Cert

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout cert.key -out cert.crt -extensions san -config \
  <(echo "[req]"; 
    echo distinguished_name=req; 
    echo "[san]"; 
    echo subjectAltName=DNS:<fqdn>
    ) \
  -subj "/CN=<fqdn>"
  
# Looking for the new generated certs
ls

# Certificate conversion - CRT+Key = PFX
openssl pkcs12 -export -in cert.crt -inkey cert.key -out wac.pfx

# Obtaining the certificates via Windows Explorer
\\wsl$\Ubuntu\home\bruendlt\certs

The changeover process:

# var
$GatewayServerName="<Hostname WAC - Gateway>"

# session
$Session=New-PSSession -ComputerName $GatewayServerName

# copy
Copy-Item -Path "$env:USERPROFILE\Downloads\wac.pfx" -Destination "$env:USERPROFILE\Downloads\wac.pfx" -ToSession $Session

# cert import
Invoke-Command -ComputerName $GatewayServerName -ScriptBlock {Import-PfxCertificate -FilePath "$env:USERPROFILE\Downloads\wac.pfx" -CertStoreLocation Cert:LocalMachine\My -Exportable -Password (ConvertTo-SecureString -String '<PFX - File Password>' -AsPlainText -Force)}

# extract appId
$pattern = '(?<=\{).+?(?=\})'
$appId=[regex]::Matches((Invoke-Command -ComputerName $GatewayServerName -ScriptBlock {netsh http show sslcert})[8], $pattern).Value

# thumprint
$Thumbprint = (Invoke-Command -ComputerName $GatewayServerName -ScriptBlock {Get-ChildItem  -Path Cert:\LocalMachine\MY | Where-Object {$_.Subject -Match "$GatewayServerName"} | Select-Object FriendlyName, Thumbprint, Subject, NotBefore, NotAfter| Sort-Object -Property NotAfter -Descending  | Select-Object -first 1}).Thumbprint

# delete old binding
Invoke-Command -ComputerName $GatewayServerName -ScriptBlock {netsh http delete sslcert ipport=0.0.0.0:443}

# add new binding
$NetshArgumentList = "http add sslcert ipport=0.0.0.0:443 certhash="+$Thumbprint+" appid=`'{"+$appId+"}`'"
Invoke-Command -ComputerName $GatewayServerName -ScriptBlock {Invoke-Expression "netsh $using:NetshArgumentList"}

# restart
Invoke-Command -ComputerName $GatewayServerName -ScriptBlock {Restart-Service ServerManagementGateway}

#add certificate to trusted root certs
$Subject = (Invoke-Command -ComputerName $GatewayServerName -ScriptBlock {Get-ChildItem  -Path Cert:\LocalMachine\MY | Where-Object {$_.Subject -Match "$GatewayServerName"} | Select-Object FriendlyName, Thumbprint, Subject, NotBefore, NotAfter| Sort-Object -Property NotAfter -Descending  | Select-Object -first 1}).Subject
start-sleep 10
$cert = Invoke-Command -ComputerName $GatewayServerName -ScriptBlock {Get-ChildItem Cert:\LocalMachine\My\ |where subject -eq "$using:Subject"}
$cert | Export-Certificate -FilePath $env:TEMP\WACCert.cer
Import-Certificate -FilePath $env:TEMP\WACCert.cer -CertStoreLocation Cert:\LocalMachine\Root\

References:

Install Windows Admin Center

How to install Windows Admin Center on a Windows PC or on a server so that multiple users can access Windows Admin Center using a web browser.

Microsoft Learn

https://it-infrastructure.solutions/windows-admin-center-hybrid-hub-to-the-cloud-azure-part-2/

Setting up WSL2 (Windows Subsytem for Linux) on Windows 10

Generating self-signed certificate files (Linux — Debian)

How to Access Your Linux (WSL) Files in Windows 10

Windows 10’s May 2019 Update introduced an easy, safe, and officially supported way to access and work with your Linux files from within File Explorer and other applications. Here’s how to get at your Windows Subsystem for Linux (WSL) files.

Chris HoffmanHow-To Geek

How do I create a new certificate for Windows Admin Center??

I just now observed that our internal WAC certificate was only two months old and it’s already expired. Can I simply create and use our own self-signed certificate and use it?? Do I install it like normal certificates within the Certificates MMC and WAC will automagically use it?? Thank you, Tom

TECHCOMMUNITY.MICROSOFT.COM

Источник

Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.

Today, I connected to my Windows Admin Center, and I had the following error message that says that my certificate is expired:

I renewed my certificate, and to change it in the WAC, you just need to import the new certificate on the server, and get his thumbprint:

When you’ve this key, just go in the configuration panel, and search Windows Admin Center. Click on Change:

Choose to modify the WAC:

Replace the thumbprint by the new certificate that you copied previously and click on Change:

The WAC service will restart. When it’s done, the certificate on your WAC has been changed:

Top 5 New Features in Windows Server 2019
Enable Azure Monitor from Windows Admin Center

Источник

Intro

Today I am going to show you how to renew your Windows Admin Center certificate, as well as how to distribute that certificate with Group Policy. For those that do not know, Windows Admin center is an awesome tool that allows you to manage, configure and troubleshoot Windows servers and PCs. The best part, in my opinion, is that not only is it completely free, but you can run it in a browser window on any PC.

Problem Statement

The issue we are trying to solve today is that while Windows Admin Center works great on our gateway server that we stood up, but any other endpoint accessing this gateway gets a cert error.

Certificate working correctly on local host

Certificate error when connecting to the WAC on another server

Why is this happening?

This is happening because of the way we set up Windows Admin Center. When installing the application we have the option to select an SSL certificate that we (the administrator) provide. This would be the ideal way to configure Windows Admin Center, but it would require us to use a certificate from either a public certificate authority or create one in an internal certificate authority. Now in my lab environment, I don’t want to pay for a public SSL certificate, and I don’t have an internal CA. But I can still solve this problem by using a self-signed certificate and then distributing it to our endpoints with Group Policy.

Self-signed Certificate

First thing we have to do is verify that we have a valid Windows Admin Center self-signed certificate. Now, it would be pretty obvious if we didn’t, as we would be getting a cert error even on our Windows Admin Center gateway. But let’s check our certificate and verify its validity period.

Confirm the certificate is valid

Check certlm.msc for the published Windows Admin Center certificate

Renewing Windows Admin Center Self-signed Certificate

If we do need to renew the certificate, it is super simple. We just need to launch the Windows Admin Center installer and select Change. This will give us the option to change out the certificate or create a new one.

In the installer options, you can create a new certificate or view the thumbprint of the current one

Exporting our Self-signed Certificate

Now that we have verified our certificate is valid, we need to export it so that we can distribute it to our other endpoints that will be using the Windows Admin Center on our gateway server.

Right-click the WAC certificate, under All Tasks, choose Export

On the next screen, choose to export the private key, leave the default format options checked, set a password, and then select a file name/location to export it. Once exported, move it to your domain controller where we will be creating the GPO.

The exported certificate

Creating the Group Policy Object to Distribute the Certificate

Now we need to create the GPO that will push our certificate to our endpoints. First we will connect to one of our domain controllers and open up the Group Policy Management Editor.

Verify our Certificate has been Distributed to our Clients

Now that our GPO is created, we need to verify it has made it to our endpoints. First thing we can do is perform a manual Group Policy update on our client to save some time waiting for a sync. We can then open view our Trust Root Certificate store on the client to verify the Windows Admin Center certificate exists. Lastly, we will launch the Windows Admin Center in the browser and confirm we don’t have any errors.

Right click the OU that will house your GPO and select Create a GPO. I named mine “Client Certificates”

Right-click, choose Import, and browse to your exported WAC certificate Note: You may need to change the file type filter to All Files

Type in the password you chose earlier. Leave everything else as the defaults

Make sure the Trust Root Certificate store is selected

That is it. Click Finish and you will see the certificate show up in the policy you created.

Now to verify what we have done, go to a machine that is in the OU where you applied the GPO. Run GPUpdate /Force to kick off a group policy scan (this is done automatically at a variable time period, but kicking it off manually will save some time). Once the group policy update completes, launch certlm.msc and verify the Windows Admin Center certificate is now showing in the Trusted Root Certificate store.

Open certlm.msc and verifiy the certificate is now there

Lastly, open a web browser on the machine and navigate to your WAC URL. Instead of the certificate warning we got previously, you should get a log-in prompt. Enter your credentials and look at our secure connection!

Look, a padlock instead of a certificate error!

Missed a step? I have a full video on this process linked below.

References:

Microsoft — Updating WAC certificate

Microsoft — Distribute Certificates with Group Policy

Video for the visual learners: Updating and distributing your Windows Admin Center Certificate

Источник

The estimated reading time 4 minutes

Windows Admin Center 1809 install and distribute selfsigned certificate

Hi everyone,

as Windows Admin Center is becoming more and more popular, I asked myself; how I can change/renew the default certificate in an WAC installation. After installation the default certificate is valid for about three months. So there is not much time 🙂 to change it.

In my scenario I use OpenSSL with a special configuration file to generate a certificate for my WAC Server. You can also buy a trusted certificate from a provider.

The aim is to access the WAC with a valid certificate inside domain network:

Let’s have a look at my config file

###### config file
[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn

[dn]
C = DE
ST = BW
L = Mengen
O = IT
emailAddress = XX@demo01.it-koehler.com
CN = wac01-74.demo01.it-koehler.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = demo01.it-koehler.com
DNS.2 = *.demo01.it-koehler.com
DNS.3 = wac01-74
DNS.4 = localhost

You can install OpenSSL on your PC it is not needed on the WAC Server. Check the path where the config file is located! In my case it is called “wildcard.cfg”.

openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout "C:\temp\wac01-74.key" -days 3560 -out "C:\temp\wac01-74.crt" -config "C:\temp\wildcard.cfg"

After generation you can also convert it to an pfx so that windows server can import it and uses the private key.

openssl pkcs12 -export -out "C:\temp\wac01-74.pfx" -inkey "C:\temp\wac01-74.key" -in "C:\temp\wac01-74.crt"

If you completed the steps successfully there should be some files like this in the working directory on your pc.

Now you can copy the pfx file to your WAC server to import it.

You need the password defined in openssl to import the pfx file

There is no need to mark it as exportable, but if you loose your password you can export it again from the WAC server. It is your choice 🙂 .

The pfx file has to be imported in personal certificate store!

During the installation process in WAC you need the thumbprint of this certificate. So there is a easy way to get it with powershell or with the mmc “certlm.msc”.

Get-ChildItem -Path cert:\LocalMachine\My\

In this case identifying is quite easy. Copy the thumbprint to an document.

Now we’re ready to change the certificate in WAC. To do this start the original setup (msi) again.

Select “change”.

Past the copied thumbprint to the field gateway certificate. (the old one is not needed anymore)

Finish installation. So now the WAC is using our brand new certificate, but installing on the server does not mean that it is reliable. When we open Edge or Chrome everything is red and “not secure”.

We have to make the complete domain (or only some parts) trusting my new certificate. In my case I decided to achieve this with a new gpo. So open your GPO console on your DomainController or RSAT Tools.

Generate a new gpo and import the .crt file (it doesn’t make sense to distribute your pfx file, in contrast it is dangerous).

Copy the crt-file to the DC or where it can access the file.

After completing the gpo you can link it where all your PCs or Servers are , or where you do not want to see red warnings accessing the WAC.

Test the gpo with “gpupdate /force” on a client machine.

If your gpo works as it should there is no warning anymore. Feel free to ask some questions in the comment section. If you liked the blogpost click “Helpful”.

Thanks for reading and have fun.

Was this article helpful?

YesNo

Источник