How to manually specify what certificate the winrm listener uses

Article:TECH93886  |  Created: 2009-01-07  |  Updated: 2011-04-29  |  Article URL
Article Type
Technical Solution


You must specify the certificate for winrm because it does not use the correct one when using the quickconfig option.

In the collector log there are messages about "untrusted server certificate chain"


There are 3 areas where the certificate must match
- The winrm configuration thumbprint
- The winrm listener thumbprint
- The Symantec Agent must have the certificate imported into it using keytool.exe

If a certificate either has not been setup, or winrm is setup with the wrong certificate file, or the certificate has not yet been installed into the Symantec Agent, the connection will fail with this error.


You can manually set which certificate winrm uses by specifying the Certificate Thumbprint when you create the listener.

To create a new listener that specifies the Certificate Thumbprint: 

  1. Open the certificate file, and click the Details tab.
  2. Scroll to the bottom and click Thumbprint.
  3. The bottom half of the window displays the hexidecimal value.
    This is what must be used in the winrm command.
  4. When logged in as administrator, or an administrator, open a command window.
  5. Set the winrm configuration to use the correct thumbprint by entering the following command:

    winrm set winrm/config/service @{CertificateThumbprint="<Hexidecimal thumbprint value from the correct certificate>"}

    NOTE: You may need to remove the spaces from the thumbprint string

  6. Setup the listener to use that same thumbprint by entering the following command:

    winrm create winrm/config/Listener?Address=IP:<Enter your IP Address Here>+Transport=HTTPS @{Hostname="<FQDN as it appears in the certifcate>";CertificateThumbprint="<Hexidecimal thumbprint value from the correct certificate>"}
     You may need to remove the spaces from the thumbprint string.

    The IP address that you enter is the IP address of the machine you want to collect events from.
  7. To use this certificate with the Symantec Event Agent you will also need to add that certificate to the agent keystore.
keytool -importcert -trustcacerts -alias Symc-CA -file Symc-CA.cer -keystore "C:\Program Files\Symantec\Event Agent\jre\lib\security\cacerts" -storepass changeit

Symc-CA is an alias for the domain root certificate.

Symc-CA.cer is a file with the domain root certificate.

Default Paths to the java certificate keystore.
32bit Windows:
C:\Program Files\Symantec\Event Agent\jre\lib\security\cacerts
64bit Windows: 
C:\Program Files (x86)\Symantec\Event Agent\jre\lib\security\cacerts

The default password for the certificate keystore is changeit. 

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices