I'm managing a group of servers with Ansible and in case of Windows Servers, winrm is being used. Everything was setup and working fine, but the time has come to replace the cert for the service user that ansible is using (not the cert for WinRM SSL connection). It was initially set up with a self-signed cert (as a test) and then replaced with the proper CA-signed cert. But now, I'm trying to replace that client cert with a new one and running into a brick wall.
The problem might be that it's the same user, same Subject, same Issuer, same URI... the only difference is the the time/validity (which already started). Is this the special case where I'm missing some step?
- new cert is imported into Root and TrustedPeople cert store locations
- RootCA and SubCA are there and certification path is valid, status is OK
- winrm cert mapping is there and enabled
- like I said, it's the same issuer thumbprint, same URI, same subject CN... etc. should be working out of the box
- I've even tried to remove the cert mapping and create it again, but to no avail
- old client cert is removed, there should not be any collision between them
And server refuses these credentials when I try to connect. If I do the same procedure all over again, but with the old cert (still valid), everything works. Even that old self-signed test cert with its own cert mapping (subject and issuer are different there) works for the same Windows user, even in parallel. Reboot brings nothing new.
What am I missing?
