WinRm - Cannot create a WinRM listener on HTTPS due to incorrect SSL certificate

问题

I want to use WinRM with https transport. I've bought a Comodo certificate (the error states I cannot use a self-signed certificate) with the Subject matching my FQDN (Full computer name in System) of my Windows 10 computer (not domain joined):

CN = my.domain.net 
OU = PositiveSSL 
OU = Domain Control Validated

When trying to create a https listener with the following command:

WintRm quickconfig -transport:https

I get the error message:

Error number: -2144108267 0x80338115 Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

I've installed (doubleclick the *.crt file) the certificate in several stores (local machine / personal and Trusted Root Certification Authorities) but WinRM fails to create the https listener. The http listener is working OK.

Some extra info: When using certreq to try to install the *.cer certificate, I get the error:

Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)

How do I get WinRM working with https?

回答1:

Here is how I solved this issue:

• create a SSL CSR using DigiCert Certificate Utility for Windows from digicert.com
• use the generate CSR to request a certificate. I used versio.nl but I'll guess there are a lot of CA's out there
• Install the certificate by double clicking it
• go to the certificate manager for user
• rightclick the certificate (it should me in the personal store) and export it - follow the wizard and be sure to export the private key
• install the newly exported certificate (mark the key as exportable and include all extended properties) in the local computer certificate store

Open an console (cmd) with administrator privilidges and type:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname="server.fqdn";CertificateThumbprint="YOURCERTIFICATETHUMPPRINT"}

This worked for me. Some things to check if it is not working:

1. is the certificate still valid (check the date range)
2. check if the certificate property 'Subject" has a CN value with the FQDN of your computer
3. check if the listener is installed (winrm e winrm/config/listener)

I took me a lot of hours to figure this out. I hope it will help some of you out there.

来源：https://stackoverflow.com/questions/41890240/winrm-cannot-create-a-winrm-listener-on-https-due-to-incorrect-ssl-certificate