Hyper-V Server 2019 -WinRM over HTTPS

Question

I have an interesting problem enabling WinRM over HTTPS on Hyper-V Server 2019. I have a valid, Server Auth-enabled certificate imported into the Root store, however

winrm quickconfig -transport:https

Still results in the following:

WinRM service is already running on this machine.
WSManFault
    Message
        ProviderFault
            WSManFault
                Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

Error number:  -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

Hostname is: CIC-OverActive

Domain is: unifiedlab.lan

The certificate's properties in the Root store look good, the "Issued To" field matches the Host Name exactly (without domain), it has the Private Key (not exportable), and the root CA's certificate is in place as well and healthy, etc. etc.

I have even tried removing the default/system generated cert for the machine (after exporting it as a backup, of course).

Properties in the Root cert store (from Hyper-V's Windows Admin Center // Server Manager // Certificates):

Archived
NotArchived

Certificate Name
CIC-OverActive

Enhanced Key Usage
Server Authentication 1.3.6.1.5.5.7.3.1 Client Authentication 1.3.6.1.5.5.7.3.2

Friendly Name
CIC-OverActive

Issuer Name
<*****>

Issued To
CIC-OverActive

Path
LocalMachine\Root\89926350EBC3EC4C4C7C3773B9263157011787B2

Valid From
3/26/2023

Valid To
3/25/2025

Private Key
Not Exportable

Public Key
RSA

Public Key Parameters
05 00

Scope
LocalMachine

Store
Root

Status
Healthy

Serial Number
06

Subject
CN=CIC-OverActive, OU=Information Security Lab, O=<*******>, S=<*******>, C=<*******>

Signature Algorithm
sha256RSA

Thumbprint
89926350EBC3EC4C4C7C3773B9263157011787B2

Version
3

Certificate Template
-

I am following this guide as a reference, and all the conditions for the cert that are listed there seem to be met: https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https

I am unsure as to how to proceed in troubleshooting this one, any suggestions are welcome!

Answer 1

Hello

Thank you for your question and reaching out. I can understand you are having query\issues related to WinRM.

1. Please follow guidance in below article to enable the certificate authentication and see if the issue could be resolved or not.

https://learn.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections#enabling-or-disabling-authentication-options

2. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

Open the certificates MMC add-in and confirm the following attributes are correct:

The date of the computer falls between the Valid from: to the To: date on the General tab.

Host name matches the Issued to: on the General tab, or it matches one of the Subject Alternative Name exactly as displayed on the Details tab.

That the Enhanced Key Usage on the Details tab contains Server authentication.

On the Certification Path tab that the Current Status is This certificate is OK.

Reference :

https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https

--If the reply is helpful, please Upvote and Accept as answer--