I am trying to setup WinRM on our Windows servers in AWS so I can manage them with Ansible.
Our servers are all running Windows Server 2019
I have a private CA that we use regularly, which is installed in the Trusted Root folder on the server, and I have created a certificate with the following:
- CN: FQDN
- time period: 3650 days
- subjectAltName: contains FQDN, Hostname and IP address
- extendedKeyUsage: serverAuth, clientAuth
In the Certification Path, the status shows "This certificate is OK."
I have tried using both the short Hostname and the FQDN as the CN for the certificate, but in both cases when I try to enable WinRM on HTTPS I get the error:
Error number: -2144108267 0x80338115 Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
I also tried using the command line:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOST";CertificateThumbprint="XXXXXXXXXX"}
Error: Invalid use of command line. Type "winrm -?" for help.
The FQDN format for the AWS compartment we use is <hostname>.<AWS account ID>.amazonaws.com, which has four levels instead of the traditional three levels. I have seen a few other applications that do not recognize an FQDN with sub-domains as being a valid name.
Does winRM require a three level FQDN in order to work?
I have generated certificates with both the short hostname and the FQDN for the server, but winRM will not accept either one, even though they meet all of the requirements listed in the Microsoft winRM documentation