Server monitoring using WinRM-HTTPS status shows "Connection Refused (0)" after the renewal of the server certificate.

• After renewal of the server certificate, Server monitoring using WinRM-HTTPS status shows "Connection Refused (0)".

• Userid logs (less mp-log useridd.log) report "Connection failed. response code = 0," error.

Error:  pan_user_id_winrm_verify_cert_cb(pan_user_id_win.c:2814): Unable to get basic constraints
Error:  pan_user_id_winrm_verify_cert_cb(pan_user_id_win.c:2873): X509_verify_cert returned error 20, error = 'unable to get local issuer certificate'
Error:  pan_user_id_winrm_query(pan_user_id_win.c:2654): failed to connect to winrm server server.pantac.local.lab in vsys 1
Error:  pan_user_id_winrm_query(pan_user_id_win.c:2698): Connection failed. response code = 0, error: Peer certificate cannot be authenticated with given CA certificates in vsys 1, server=server.pantac.local.lab.

• Palo Alto Firewalls
• PAN-OS 9.1.16
• Renewal of Server Certificate used for User-ID WinRM-HTTPS.
• Domain Controller being monitored using WinRM-HTTPS as a transport method.

• After renewing the server certificate, the certificate thumbprint was not updated on the server. 
• WinRM service was not able to validate the certificate.
• Another option for this issue for PAN-OS 10.2 and above:
  • The issue was caused by the server certificate that didn't follow the minimum public key requirements for PAN-OS 10.2. with a minimum of RSA 2048 bits 
  • refer to Changes to Default Behavior in PAN-OS 10.2

To resolve, Update the new certificate thumbprint on the Server. Steps are listed below.

1. (For PAN-OS 10.2 and above) Verify that the new certificate has a public key of RSA 2048 bits or greater.
2. Delete the already running WinRM listener with Address=* and Transport=HTTPS configuration, enter the following command: 

c:>winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

2. Create a new WinrRM listener with Address=* and Transport=HTTPS configuration with the new server certificate thumbprint, enter the following command: 

c:>winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”<hostname>";CertificateThumbprint=”Certificate Thumbprint"}

• "hostname" is the hostname of the Windows server
• "Certificate Thumbprint" is the value you copied from the new server certificate.

Note: Remove any spaces in the Certificate Thumbprint to ensure that WinRM can validate the certificate.

3. To verify that WinRM is communicating using HTTPS and confirm that the output displays Transport = HTTPS, enter the following command: 

c:>winrm enumerate winrm/config/listener

Note: Make sure you successfully imported the root certificate for the service certificates that the Windows server uses for WinRM onto the firewall and associate the certificate with the User-ID Certificate Profile.

• How to configure WinRM over HTTPS with Basic Authentication
• Configure Server Monitoring Using WinRM
• Server Monitor Stuck in Connection Refused 
• Changes to Default Behavior in PAN-OS 10.2