WinRM errors creating HTTPS listener

Question

Good afternoon!

I'm trying to set up a WinRM listener over HTTPS, but get an error:
C:\Windows\system32>winrm quickconfig -transport:https
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

I also got another error: C:\Windows\system32>winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="SPLDC4.splpharma.com";CertificateThumbprint="8ab5efe2f1269dd77e0c41f4c7c6db6717c35633"}
WSManFault
Message
ProviderFault
WSManFault
Message = An internal error occurred.

Error number: -2147023537 0x8007054F
An internal error occurred.
No information on that internal error is available.

I know the cert is good for the server, do I need to do something to expose it to WinRM? And is there any information out there about the internal error?

Thanks to all for looking!

Gregg

Answer 1

You can ensure that the revocation checks are working. I'd run the following:

certutil -verify -urlfetch <path of your cert>

If there is anything wrong in the output, the cert will not be accepted even if it looks good from a name and EKU point of view.

By the way, HTTPs for WinRM brings more headaches than anything else... It is still useful in some scenarios though. What is yours?