Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Powershell WinRM HTTPs CA signed certificate configuration

This guide is not specific to configuration but it also shows how I troubleshooted CA signed certificate issue while configuring WinRM listener. This is a third part of PowerShell remoting over HTTPS using self-signed SSL certificate, For security best practices instead of going with Self signed certificate I am using CA signed certificate. First step I need is CSR file, I have used below two openssl commands to generate CSR file as shown on article before Configure Powershell WinRM to use OpenSSL generated Self-Signed certificate.

openssl genrsa -out Priv.key 2048
openssl req -new -key Priv.key -out Request.csr -config psremote002.cnf

Once you have a CSR ready, open your certificate authority url website, choose Request a certificate then press on Submit an advanced certificate request link, here click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. On the next page open Request.CSR in notepad select all and copy the contents, paste to Saved request textbox, last choose Web server as certificate template. Submit to download CA generated certificate.

Microsoft active directory certificate services rootca certificate authority request a certificate submit a certificate request using a base-64 cmc or pkcs #10 powershell SSL https remoting port 5986.png

Series
POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS
PowerShell remoting over HTTPS using self-signed SSL certificate
Configure Powershell WinRM to use OpenSSL generated Self-Signed certificate
Powershell WinRM HTTPs CA signed certificate configuration
Powershell Generate Self-signed certificate with Self-Signed Root CA Signer

I downloaded certificate and uploaded to local machines \ personal certificate store but while configuring certificate thumbprint as a new HTTPS listener for WinRM, I was keep receiving below error. 

New-Item : The function: "HttpSetServiceConfiguration" failed unexpectedly. Error=1312. 
At line:1 char:1
+ New-Item -Path WSMan:\localhost\Listener\ -Transport HTTPS -Address * ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-Item], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.NewItemCommand

Microsoft Windows Powershell New-Item wsman listener -transport https CertificateThumbPrint certificate ca self signed certificate authority powershell remoting winrm replace ssl https certificate 5985.png

To dig down more I generated and downloaded certificate multiple times, but I was still receiving errors. After going through my earlier articles on same topics I found when CA generates a certificate, it doesn't have key in it, Before importing it to local certificate store, you need to create PFX file using private key and certnew.cer using openssl, then upload to cert store. (Personal Information Exchange Format (PFX) enables transfer of certificates and their private keys from one computer to another or to removable media.)

openssl pkcs12 -export -inkey Priv.key -in certnew.cer -out certificate.pfx -passout pass:123456

Microsoft Windows Powershell certificate openssl pkcs12 export inkey private key pfx passout replacing powershell remoting winrm wsman ssl https certificate thumbhash ca signed self cert.png

To upload the PFX file to local machine \ personal \ ceritificate store just double click file, It launches Certificate Import Wizard, select Local Machine, File to import will show file name which you are uploading, Next use the password and select Mark this key exportable, This will allow you to backup or transport your keys at later time, in the last browse for Trusted Root certification authorities (it should be personal for better management, but I want to show what is difference between .cer and .pfx)

Powershell self signed certificate certificate authority microsoft psremoting winrm wsman port 5986 5986 https replace cert openssl pfx private key certificate import wizard local machine exportable key.png

Review the setting on last page, click finish, the import should be successful. Open the certificate store and check the icons of existing certificates and new uploaded pfx, there is a key inbuilt in pfx certificate and listener require the key, Rest everything was working fine.

Powershell certificate local computer trusted root certification authorities, root ca subordinate ca, microsoft powershell remoting replace https ssl port 5986 import-pfxcertificate testing security.png.

Use below command to check the connection.

Invoke-Command -ComputerName psremote002.vcloud-lab.com -ScriptBlock {hostname} -Credential (Get-Credential) -UseSSL -Port 5986

Useful Articles
POWERSHELL DSC XACTIVEDIRECTORY ERROR - A NETBIOS DOMAIN NAME MUST BE SPECIFIED 
DSC (DESIRED STATE CONFIGURATION) : DEPLOYING ACTIVE DIRECTORY 
THE POWERSHELL XACTIVEDIRECTORY PROVIDER DOES NOT EXIST AT THE POWERSHELL MODULE PATH NOR IS IT REGISTERED AS A WMI PROVIDER 

Go Back

Comment

Blog Search

Page Views

11240782

Follow me on Blogarama