How to Set up PSRemoting with WinRM and SSL [Step by Step]

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

PSRemoting is a feature that allows remote access to your PS4 without the need for physical connection. However, this feature can only be used if you are using WinRM on your PC as well and have SSL installed in IIS. This blog will show how to set up both of these features so that they function properly with one another.

This article will show you how to set up PSRemoting with WinRM and SSL. It also includes a step by step guide on configuring winrm https, which allows remote PowerShell sessions to be established over HTTP.

How to Set up PSRemoting with WinRM and SSL [Step by Step]

If you’ve used PowerShell Remoting (PSRemoting) to perform remote tasks, you already know how useful it is. You can connect to and handle one or more distant computers as if they were local. PSRemoting relies on Windows Remote Management (WinRm) to work, and if you aren’t utilizing WinRM via SSL, you may be exposing yourself to security risks.

You’ll learn how to set up Windows on the client and server to use WinRM over HTTPS (SSL) and how to utilize certificates to authenticate while using WinRM over HTTPS in this hands-on lesson.

Prerequisites

If you want to follow along with this lesson, make sure you have the following items on hand:

  • As the client computer, you’ll need a Windows 7+ or Server 2008 R2 system. Windows 10 will be used in this lesson.
  • As the server, you’ll need a Windows 7+ or Server 2008 R2+ system. Windows Server 2019 will be used in this tutorial.
  • On both the client and server workstations, access to a local administrator account or an account with local administrative permissions.
  • A Public Key Infrastructure (PKI) for Active Directory Certificate Services (ADCS). For commercial implementations, it would be beneficial to use ADCS, however it is not required for this instruction and testing. The tutorial will presume that the PKI is configured as a standalone or enterprise CA.

Why Would You Prefer WinRM to SSL?

PSRemoting is pre-installed with WinRM and enables you to remotely control client PCs. PSRemoting encrypts all communication from client to server after establishing a connection through WinRM. In addition, implementing PSRemoting without HTTPS is a really simple process.

How to Enable PSRemoting is a related topic (Locally and Remotely)

Why go to the trouble of putting up something like ADCS and managing certificates when PSRemoting already encrypts session communication?

Because, depending on the authentication method used, credentials might be transferred in unsafe forms throughout the procedure.

Using WinRM via HTTPS instead of HTTP is one of the simplest methods to make PSRemoting more secure. Within the layer of encryption WinRM currently utilizes, HTTPS encases your whole connection stream, including authentication. HTTPS also allows you to verify that the server you’re connected to is the one you believe it is.

Using a Self-Signed Certificate to Configure WinRM

Let’s get started with the demos. The first method will teach you how to use a self-signed certificate to encrypt PSRemoting communication with WinRm via SSL.

Using a self-signed certificate to build up a test environment without having to worry about a PKI like ADCS is a wonderful way to go. When you employ a self-signed certificate, the server generates a certificate that it signs, thus vouching for itself.

Certificates generally fulfill two functions: they authenticate and encrypt a connection. Only the latter is implemented when a self-signed certificate is used. You must always utilize PKI-provided certificates to verify a server’s identity. Rather of needing to manually trust each self-signed certificate, PKI-provided certificates give a single source of confidence.

Four high-level steps are required to configure WinRM over SSL with a self-signed certificate:

  1. On the target computer, create the self-signed certificate.
  2. Setting up the WinRM webserver (listener) on the server to utilize a self-signed certificate for authentication.
  3. On the target machine’s Windows firewall, open the required ports.
  4. Using a PowerShell cmdlet, such as Enter-PSSession, to establish a remote connection on the client.

Let’s go through each step one by one.

Making Your Own Self-Signed Certificate

On the server, the first step is to create a self-signed certificate. PSRemoting will encrypt all communication using this certificate upon connecting.

Run the New-SelfSignedCertificate cmdlet on ServerB with a Windows PowerShell console open as administrator, as shown below. The command below creates a certificate for ServerB.domain.com in the personal certificate store on the local workstation.

‘CN=ServerB.domain.com’ -TextExtension ‘2.5.29.37=text1.3.6.1.5.5.7.3.1’ New-SelfSignedCertificate -Subject ‘CN=ServerB.domain.com’ -TextExtension ‘2.5.29.37=text1.3.6.1.5.5.7.3.1’

Creating a certificate that is self-signed.Creating a certificate that is self-signed.

The fully-qualified domain name of the server should be used as the Subject argument. The topic is used by WinRm to verify the server’s identity.

Always give a domain name, such as domain.com or lab.local, even if the server is in a workgroup. The DNS name you connect to when connecting to the destination system must precisely match this Subject name, else the connection will fail.

The TextExtension enables you to specify the key use of the certificate (2.5.29.37), which specifies what the certificate may be used for. To guarantee that the certificate may only be used to validate a server’s identity, define key use for Server Authentication (text1.3.6.1.5.5.7.3.1).

New-SelfSignedCertificates will return the thumbprint of the certificate it created when it has completed. You’ll need this for the following command, so save it.

Setting up the WinRM Listener

After you’ve produced the self-signed certificate on the server, you’ll need to setup the WinRm listener to use it for authentication. Use the winrm create command to do this, as illustrated below.

The Address=* parameter in the command below tells the listener to listen on any IP address the server has specified. You may provide a particular IP address here if the server has several IP addresses configured.

Be sure to replace the <cert thumbprint here> placeholder with the thumbprint returned in the last step.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS ‘@{Hostname=”ServerB.domain.com”; CertificateThumbprint=”<cert thumbprint here>”}’

Using a self-signed certificate to create a WinRM listener.Using a self-signed certificate to create a WinRM listener.

The WinRM SSL Firewall Port is now open.

If you’re using the Windows firewall, you’ll also need to enable HTTPS access to the server through the default HTTPS port 5986.

Related:How to Change the Default WinRm Ports

Run the following command in PowerShell to open the firewall port for WinRM via HTTPS.

@ $FirewallParam $FirewallParam $FirewallParam $Firewall ‘Windows Remote Management (HTTPS-In)’ is the display name. ‘Inbound’ is the direction. Protocol = ‘TCP’ Action = ‘Allow’ Program = ‘System’ LocalPort = 5986 Protocol = ‘TCP’ Action = ‘Allow’ Program = ‘System’ New @FirewallParam -NetFirewallRule

Using SSL to connect to the server

The remote Windows Server is now configured to allow WinRM connections via SSL. Return to the client at this point and test any PSRemoting commands you’d want to try. Try the Enter-PSSession or Invoke-Command cmdlets, for example. Only now, you’re connecting in a little different way than with the standard HTTP connection.

Invoke-Command: The Most Effective Way to Run Remote Code

When connecting via HTTPS, the argument UseSSL is usually required. This argument instructs the command to search for an HTTPS WinRM listener rather than an HTTP listener, which is the default. More PSRemoting commands support the UseSSL argument.

Enter-PSSession using the FQDN of the server as provided by the self-signed certificate subject, a PSCredential object to specify the login and password, and the UseSSL switch argument for testing.

All Things Credentials and Using the PowerShell Get-Credential Cmdlet

ServerB.domain.com -ComputerName Enter-PSSession -UseSSL -Credential (Get-Credential)

Because you have set the WinRM listener on the server to utilize a self-signed certificate, you will get an error message if you perform the above command. When the PSRemoting client tries to authenticate with the server, it tries to verify the certificate but is unable to do so. Because a self-signed certificate lacks a trust chain that the command may follow, it fails.

With a self-signed certificate, the certificate authority trust check fails.With a self-signed certificate, the certificate authority trust check fails.

You must overcome the certificate trust check to connect to the server using a self-signed certificate. You may do so by creating a PSSessionOption named SkipCACheck using the New-PSSessionOption cmdlet and providing it to the command as shown below.

$PSSessionOption = New-PSSessionOption -SkipCA; $PSSessionOption = New-PSSessionOption -SkipCA; $PSSes Enter-PSSession -ComputerName ServerB -Credential -Credential -Credential -Credential -Credential -Credential -Cred (Get-Credential) -SessionOption -UseSSL $PSSessionOption

You may create a variety of PSSessionOption objects to provide remote connection settings that aren’t present in the Enter-PSSession cmdlet.

When you reconnect, PowerShell should ask you for your credentials. You should now be able to connect to the server via WinRM over SSL, which has been given!

Using a CA-signed certificate to configure WinRM

If you wish to utilize PSRemoting with WinRM in production while maintaining the highest level of security, you should use WinRM over SSL with a certificate authority (CA)-signed certificate.

Because they check a certificate issuer’s authenticity, CA-signed certificates establish a trust chain and are more secure than basic self-signed certificates.

One of the most frequent methods to set up a CA in an Active Directory environment is via ADCS. You may use ADCS to deploy certificates to devices and configure WinRM to utilize them.

This tutorial will presume that ADCS is already installed and operational in your environment.

You can use Microsoft’s guidelines for a rapid setup, but since a certificate authority is at the heart of an organization’s encryption efforts, you should thoroughly examine the settings for a production implementation.

The Request for a Certificate

The first step in utilizing a certificate issued by a CA is to create the certificate. You must first make a certificate request using a certificate signing request in order to generate the certificate (CSR). This CSR may then be forwarded to the CA for the certificate to be issued.

How to Use PowerShell to Generate an IIS Certificate Request

The processes in this section apply to ADCS installations, whether it’s an enterprise CA or a standalone CA. If you’re using an AD-integrated corporate CA, you may use certificate auto-enrollment or certificate templates to speed up the process of enrolling certificates without going through the procedures in this section.

Create the CSR on the server (ServerB in this tutorial):

  1. To launch the Windows certificate manager, type certlm.msc.

Managing Certificates using the Windows Certificate Manager is a related topic.

2. Right-click on the Personal store and select All Tasks —> Advanced Operations —> Create Custom Request.

3. For the sake of this lesson, keep all fields blank until you reach the Certificate Information page, which is shown below. When you arrive, pick Properties from the Details dropdown menu.

Making a one-of-a-kind certificate request.Making a one-of-a-kind certificate request.

4. Change the Type to Common name under the Subject tab.

5. Click Add after entering the server’s fully qualified domain name if it is part of a domain or only the hostname if it isn’t.

Specifying the certificate request's topic. Specifying the certificate request’s topic.

It’s worth noting that you must use the common name with a WinRM SSL listener. The other settings on the list may be used, but they are not necessary for this deployment.

6. Select the Extensions tab from the drop-down menu.

7. Expand the extended key use header and include Server Authentication if you’re not utilizing certificate-based authentication, which will be detailed later. This key use type instructs Windows to utilize the certificate to authenticate a server. Client Authentication, Code Signing, and Document Encryption are some of the other choices.

8. Select Client Authentication, as shown below, if you want to set up certificate-based authentication.

Obtaining a certificate for client authentication.Obtaining a certificate for client authentication.

9. Then, on the Private Key page, look at the Key choices. To improve the security of the key pair, increase the default key size from 1024 to at least 2048.

Stronger cryptography providers are also available on Windows, although you may run into compatibility issues with older apps.

10. To continue with the instructions, close the Certificate Properties box and save your selections by clicking OK.

11. Next, provide a location for the certificate request to be printed so that you may access it later, and then click Finish.

You should now have a certificate request file in your hands.

Getting a Certificate Request

After you’ve made the request, you’ll need to send it to your CA, who will then produce the certificate. To do so, follow these steps:

  1. Navigate to your ADCS server at http://<server name FQDN>/certsrv/certrqxt.asp.

Web website for submitting certificate requests.Web website for submitting certificate requests.

2. Using notepad, open the certificate request file you produced previously and paste the contents from the file into the request field. Additional Attributes are not needed for this certificate.

3. Click the Submit button. Your request will be sent to the CA as a result of this action. After that, it should display the request ID, which will be needed later. This should be saved! It’ll come in handy later.

4. Execute the Windows Certificate Manager on your local computer or run certsrv.msc through RDP to connect to the CA server that is part of your ADCS system.

5. Select Pending Requests from the drop-down menu.

Certificate is being issued in response to a pending request.Certificate is being issued in response to a pending request.

6. Right-click the pending request, then choose All Tasks, then Issue. Based on the request ID from the previous step, this will authorize the request you just filed.

Certificate Enrollment

It’s time to enroll the certificate on the server where you’re setting WinRM now that you’ve issued it on the CA. To do so, follow these steps:

  1. From the server you’re setting up WinRM over SSL on, navigate to http://<server name FQDN>/certckpn.asp. You should see a single pending certificate request.

Viewing the status of a certificate request that has been outstanding for some time. Viewing the status of a certificate request that has been outstanding for some time.

You can get the public certificate from another computer if necessary, but beginning with the server you’re configuring for WinRM via HTTPS makes things easier.

2. From the list, choose the request you filed and download the certificate chain. If the server on which you’re configuring WinRM over HTTPS has your CA as a root server, you need obtain the whole certificate chain.

The certificate chain is being downloaded.The certificate chain is being downloaded.

3. Double-click the certificate chain file to open it. A certificate for your server, as well as any certificate authority certificates further up the chain, should be visible. The requested certificate is win2.lab.int, and the certificate for the CA that issued the certificate for win2.lab.int is WIN2-CA.

Certificates inside the certificate chain are shown.Certificates inside the certificate chain are shown.

4. Double-click one of the certificates, then click the Install Certificate button in the pop-up window. Change the selection to Local Machine since this certificate will be utilized by the server rather than a particular user.

Certificate is being imported into the local machine certificate storage.Certificate is being imported into the local machine certificate storage.

5. Follow the prompts to the end, leaving everything as is. The certificate should be stored in the Trusted Root Certifications Store by default.

6. Repeat steps 3-5 for the remaining certificates in the list. Ensure that all additional certificates are stored in the Intermediate Certificate Authorities store if you have more than one certificate.

Create the WinRM HTTPS Listener and configure it.

Now that you’ve installed all of the certificates, you can setup WinRM on your server to utilize that certificate for the listener.

Open PowerShell on the WinRm server and type:

  1. To automatically set up the WinRm listener, use the command below. The winrm command does this by looking for a certificate that meets the WinRM criteria in the local machine certificate store.

-transport:https winrm quickconfig

2. By default, the Windows Firewall will block the WinRM HTTPS port 5986. Run the following PowerShell command to confirm that incoming port 5986 is allowed across the firewall:

@ $FirewallParam $FirewallParam $FirewallParam $Firewall ‘Windows Remote Management (HTTPS-In)’ is the display name. ‘Inbound’ is the direction. Protocol = ‘TCP’ Action = ‘Allow’ Program = ‘System’ LocalPort = 5986 Protocol = ‘TCP’ Action = ‘Allow’ Program = ‘System’ New @FirewallParam -NetFirewallRule

The WinRM SSL Connection is being tested.

You’re all set to connect at this moment. Connect to the server using your preferred PSRemoting cmdlets, such as Invoke-Command or Enter-PSSession, and utilize the UseSSL argument.

-ComputerName ServerB.domain.com -UseSSL -Credential Enter-PSSession -ComputerName ServerB.domain.com -UseSSL -Credential (Get-Credential)

Always double-check that the ComputerName option is set to the same value as the common name used during certificate generation. If you try to connect to a different hostname or IP address, you’ll get a certificate mismatch error, which will result in a connection failure.

Certificate-Based Authentication Setup

You should have a WinRM listener configured to utilize HTTPS by now. If that’s the case, you may also log in as a local user on the distant server using a user authentication certificate. One of the more secure methods is to utilize a user certificate, but it takes some time to set up. Because each certificate is unique to the specific client computer, you’ll discover that it’s a lot of repetitive labor.

Local user accounts, not domain users, are the only ones who may employ certificate-based authentication.

Assuming you requested a certificate for Client Authentication as covered in the The Request for a Certificate section, read on:

Authenticating with a Certificate and Mapping the User on the Server

  1. Run the Set-Item command on the server to enable certificate-based authentication.

WSMan:localhostServiceAuthCertificate -Value $true Set-Item

2. Then, in the Trusted Root Certification Authorities store, execute Get-ChildItem to obtain the thumbprint of the CA that issued the client authentication certificate. To do so, look for certificates with a topic that includes your CA’s name.

Where-Object

If you’ve used PowerShell Remoting (PSRemoting) to perform remote tasks, you already know how useful it is. You can connect to and handle one or more distant computers as if they were local. PSRemoting relies on Windows Remote Management (WinRm) to work, and if you aren’t utilizing WinRM via SSL, you may be exposing yourself to security risks.

You’ll learn how to set up Windows on the client and server to use WinRM over HTTPS (SSL) and how to utilize certificates to authenticate while using WinRM over HTTPS in this hands-on lesson.

Prerequisites

If you want to follow along with this lesson, make sure you have the following items on hand:

  • As the client computer, you’ll need a Windows 7+ or Server 2008 R2 system. Windows 10 will be used in this lesson.
  • As the server, you’ll need a Windows 7+ or Server 2008 R2+ system. Windows Server 2019 will be used in this tutorial.
  • On both the client and server workstations, access to a local administrator account or an account with local administrative permissions.
  • A Public Key Infrastructure (PKI) for Active Directory Certificate Services (ADCS). For commercial implementations, it would be beneficial to use ADCS, however it is not required for this instruction and testing. The tutorial will presume that the PKI is configured as a standalone or enterprise CA.

Why Would You Prefer WinRM to SSL?

PSRemoting is pre-installed with WinRM and enables you to remotely control client PCs. PSRemoting encrypts all communication from client to server after establishing a connection through WinRM. In addition, implementing PSRemoting without HTTPS is a really simple process.

How to Enable PSRemoting is a related topic (Locally and Remotely)

Why go to the trouble of putting up something like ADCS and managing certificates when PSRemoting already encrypts session communication?

Because, depending on the authentication method used, credentials might be transferred in unsafe forms throughout the procedure.

Using WinRM via HTTPS instead of HTTP is one of the simplest methods to make PSRemoting more secure. Within the layer of encryption WinRM currently utilizes, HTTPS encases your whole connection stream, including authentication. HTTPS also allows you to verify that the server you’re connected to is the one you believe it is.

Using a Self-Signed Certificate to Configure WinRM

Let’s get started with the demos. The first method will teach you how to use a self-signed certificate to encrypt PSRemoting communication with WinRm via SSL.

Using a self-signed certificate to build up a test environment without having to worry about a PKI like ADCS is a wonderful way to go. When you employ a self-signed certificate, the server generates a certificate that it signs, thus vouching for itself.

Certificates generally fulfill two functions: they authenticate and encrypt a connection. Only the latter is implemented when a self-signed certificate is used. You must always utilize PKI-provided certificates to verify a server’s identity. Rather of needing to manually trust each self-signed certificate, PKI-provided certificates give a single source of confidence.

Four high-level steps are required to configure WinRM over SSL with a self-signed certificate:

  1. On the target computer, create the self-signed certificate.
  2. Setting up the WinRM webserver (listener) on the server to utilize a self-signed certificate for authentication.
  3. On the target machine’s Windows firewall, open the required ports.
  4. Using a PowerShell cmdlet, such as Enter-PSSession, to establish a remote connection on the client.

Let’s go through each step one by one.

Making Your Own Self-Signed Certificate

On the server, the first step is to create a self-signed certificate. PSRemoting will encrypt all communication using this certificate upon connecting.

Run the New-SelfSignedCertificate cmdlet on ServerB with a Windows PowerShell console open as administrator, as shown below. The command below creates a certificate for ServerB.domain.com in the personal certificate store on the local workstation.

‘CN=ServerB.domain.com’ -TextExtension ‘2.5.29.37=text1.3.6.1.5.5.7.3.1’ New-SelfSignedCertificate -Subject ‘CN=ServerB.domain.com’ -TextExtension ‘2.5.29.37=text1.3.6.1.5.5.7.3.1’

Creating a certificate that is self-signed.Creating a certificate that is self-signed.

The fully-qualified domain name of the server should be used as the Subject argument. The topic is used by WinRm to verify the server’s identity.

Always give a domain name, such as domain.com or lab.local, even if the server is in a workgroup. The DNS name you connect to when connecting to the destination system must precisely match this Subject name, else the connection will fail.

The TextExtension enables you to specify the key use of the certificate (2.5.29.37), which specifies what the certificate may be used for. To guarantee that the certificate may only be used to validate a server’s identity, define key use for Server Authentication (text1.3.6.1.5.5.7.3.1).

New-SelfSignedCertificates will return the thumbprint of the certificate it created when it has completed. You’ll need this for the following command, so save it.

Setting up the WinRM Listener

After you’ve produced the self-signed certificate on the server, you’ll need to setup the WinRm listener to use it for authentication. Use the winrm create command to do this, as illustrated below.

The Address=* parameter in the command below tells the listener to listen on any IP address the server has specified. You may provide a particular IP address here if the server has several IP addresses configured.

Be sure to replace the <cert thumbprint here> placeholder with the thumbprint returned in the last step.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS ‘@{Hostname=”ServerB.domain.com”; CertificateThumbprint=”<cert thumbprint here>”}’

Using a self-signed certificate to create a WinRM listener.Using a self-signed certificate to create a WinRM listener.

The WinRM SSL Firewall Port is now open.

If you’re using the Windows firewall, you’ll also need to enable HTTPS access to the server through the default HTTPS port 5986.

Related:How to Change the Default WinRm Ports

Run the following command in PowerShell to open the firewall port for WinRM via HTTPS.

@ $FirewallParam $FirewallParam $FirewallParam $Firewall ‘Windows Remote Management (HTTPS-In)’ is the display name. ‘Inbound’ is the direction. Protocol = ‘TCP’ Action = ‘Allow’ Program = ‘System’ LocalPort = 5986 Protocol = ‘TCP’ Action = ‘Allow’ Program = ‘System’ New @FirewallParam -NetFirewallRule

Using SSL to connect to the server

The remote Windows Server is now configured to allow WinRM connections via SSL. Return to the client at this point and test any PSRemoting commands you’d want to try. Try the Enter-PSSession or Invoke-Command cmdlets, for example. Only now, you’re connecting in a little different way than with the standard HTTP connection.

Invoke-Command: The Most Effective Way to Run Remote Code

When connecting via HTTPS, the argument UseSSL is usually required. This argument instructs the command to search for an HTTPS WinRM listener rather than an HTTP listener, which is the default. More PSRemoting commands support the UseSSL argument.

Enter-PSSession using the FQDN of the server as provided by the self-signed certificate subject, a PSCredential object to specify the login and password, and the UseSSL switch argument for testing.

All Things Credentials and Using the PowerShell Get-Credential Cmdlet

ServerB.domain.com -ComputerName Enter-PSSession -UseSSL -Credential (Get-Credential)

Because you have set the WinRM listener on the server to utilize a self-signed certificate, you will get an error message if you perform the above command. When the PSRemoting client tries to authenticate with the server, it tries to verify the certificate but is unable to do so. Because a self-signed certificate lacks a trust chain that the command may follow, it fails.

With a self-signed certificate, the certificate authority trust check fails.With a self-signed certificate, the certificate authority trust check fails.

You must overcome the certificate trust check to connect to the server using a self-signed certificate. You may do so by creating a PSSessionOption named SkipCACheck using the New-PSSessionOption cmdlet and providing it to the command as shown below.

$PSSessionOption = New-PSSessionOption -SkipCA; $PSSessionOption = New-PSSessionOption -SkipCA; $PSSes Enter-PSSession -ComputerName ServerB -Credential -Credential -Credential -Credential -Credential -Credential -Cred (Get-Credential) -SessionOption -UseSSL $PSSessionOption

You may create a variety of PSSessionOption objects to provide remote connection settings that aren’t present in the Enter-PSSession cmdlet.

When you reconnect, PowerShell should ask you for your credentials. You should now be able to connect to the server via WinRM over SSL, which has been given!

Using a CA-signed certificate to configure WinRM

If you wish to utilize PSRemoting with WinRM in production while maintaining the highest level of security, you should use WinRM over SSL with a certificate authority (CA)-signed certificate.

Because they check a certificate issuer’s authenticity, CA-signed certificates establish a trust chain and are more secure than basic self-signed certificates.

One of the most frequent methods to set up a CA in an Active Directory environment is via ADCS. You may use ADCS to deploy certificates to devices and configure WinRM to utilize them.

This tutorial will presume that ADCS is already installed and operational in your environment.

You can use Microsoft’s guidelines for a rapid setup, but since a certificate authority is at the heart of an organization’s encryption efforts, you should thoroughly examine the settings for a production implementation.

The Request for a Certificate

The first step in utilizing a certificate issued by a CA is to create the certificate. You must first make a certificate request using a certificate signing request in order to generate the certificate (CSR). This CSR may then be forwarded to the CA for the certificate to be issued.

How to Use PowerShell to Generate an IIS Certificate Request

The processes in this section apply to ADCS installations, whether it’s an enterprise CA or a standalone CA. If you’re using an AD-integrated corporate CA, you may use certificate auto-enrollment or certificate templates to speed up the process of enrolling certificates without going through the procedures in this section.

Create the CSR on the server (ServerB in this tutorial):

  1. To launch the Windows certificate manager, type certlm.msc.

Managing Certificates using the Windows Certificate Manager is a related topic.

2. Right-click on the Personal store and select All Tasks —> Advanced Operations —> Create Custom Request.

3. For the sake of this lesson, keep all fields blank until you reach the Certificate Information page, which is shown below. When you arrive, pick Properties from the Details dropdown menu.

Making a one-of-a-kind certificate request.Making a one-of-a-kind certificate request.

4. Change the Type to Common name under the Subject tab.

5. Click Add after entering the server’s fully qualified domain name if it is part of a domain or only the hostname if it isn’t.

Specifying the certificate request's topic. Specifying the certificate request’s topic.

It’s worth noting that you must use the common name with a WinRM SSL listener. The other settings on the list may be used, but they are not necessary for this deployment.

6. Select the Extensions tab from the drop-down menu.

7. Expand the extended key use header and include Server Authentication if you’re not utilizing certificate-based authentication, which will be detailed later. This key use type instructs Windows to utilize the certificate to authenticate a server. Client Authentication, Code Signing, and Document Encryption are some of the other choices.

8. Select Client Authentication, as shown below, if you want to set up certificate-based authentication.

Obtaining a certificate for client authentication.Obtaining a certificate for client authentication.

9. Then, on the Private Key page, look at the Key choices. To improve the security of the key pair, increase the default key size from 1024 to at least 2048.

Stronger cryptography providers are also available on Windows, although you may run into compatibility issues with older apps.

10. To continue with the instructions, close the Certificate Properties box and save your selections by clicking OK.

11. Next, provide a location for the certificate request to be printed so that you may access it later, and then click Finish.

You should now have a certificate request file in your hands.

Getting a Certificate Request

After you’ve made the request, you’ll need to send it to your CA, who will then produce the certificate. To do so, follow these steps:

  1. Navigate to your ADCS server at http://<server name FQDN>/certsrv/certrqxt.asp.

Web website for submitting certificate requests.Web website for submitting certificate requests.

2. Using notepad, open the certificate request file you produced previously and paste the contents from the file into the request field. Additional Attributes are not needed for this certificate.

3. Click the Submit button. Your request will be sent to the CA as a result of this action. After that, it should display the request ID, which will be needed later. This should be saved! It’ll come in handy later.

4. Execute the Windows Certificate Manager on your local computer or run certsrv.msc through RDP to connect to the CA server that is part of your ADCS system.

5. Select Pending Requests from the drop-down menu.

Certificate is being issued in response to a pending request.Certificate is being issued in response to a pending request.

6. Right-click the pending request, then choose All Tasks, then Issue. Based on the request ID from the previous step, this will authorize the request you just filed.

Certificate Enrollment

It’s time to enroll the certificate on the server where you’re setting WinRM now that you’ve issued it on the CA. To do so, follow these steps:

  1. From the server you’re setting up WinRM over SSL on, navigate to http://<server name FQDN>/certckpn.asp. You should see a single pending certificate request.

Viewing the status of a certificate request that has been outstanding for some time. Viewing the status of a certificate request that has been outstanding for some time.

You can get the public certificate from another computer if necessary, but beginning with the server you’re configuring for WinRM via HTTPS makes things easier.

2. From the list, choose the request you filed and download the certificate chain. If the server on which you’re configuring WinRM over HTTPS has your CA as a root server, you need obtain the whole certificate chain.

The certificate chain is being downloaded.The certificate chain is being downloaded.

3. Double-click the certificate chain file to open it. A certificate for your server, as well as any certificate authority certificates further up the chain, should be visible. The requested certificate is win2.lab.int, and the certificate for the CA that issued the certificate for win2.lab.int is WIN2-CA.

Certificates inside the certificate chain are shown.Certificates inside the certificate chain are shown.

4. Double-click one of the certificates, then click the Install Certificate button in the pop-up window. Change the selection to Local Machine since this certificate will be utilized by the server rather than a particular user.

Certificate is being imported into the local machine certificate storage.Certificate is being imported into the local machine certificate storage.

5. Follow the prompts to the end, leaving everything as is. The certificate should be stored in the Trusted Root Certifications Store by default.

6. Repeat steps 3-5 for the remaining certificates in the list. Ensure that all additional certificates are stored in the Intermediate Certificate Authorities store if you have more than one certificate.

Create the WinRM HTTPS Listener and configure it.

Now that you’ve installed all of the certificates, you can setup WinRM on your server to utilize that certificate for the listener.

Open PowerShell on the WinRm server and type:

  1. To automatically set up the WinRm listener, use the command below. The winrm command does this by looking for a certificate that meets the WinRM criteria in the local machine certificate store.

-transport:https winrm quickconfig

2. By default, the Windows Firewall will block the WinRM HTTPS port 5986. Run the following PowerShell command to confirm that incoming port 5986 is allowed across the firewall:

@ $FirewallParam $FirewallParam $FirewallParam $Firewall ‘Windows Remote Management (HTTPS-In)’ is the display name. ‘Inbound’ is the direction. Protocol = ‘TCP’ Action = ‘Allow’ Program = ‘System’ LocalPort = 5986 Protocol = ‘TCP’ Action = ‘Allow’ Program = ‘System’ New @FirewallParam -NetFirewallRule

The WinRM SSL Connection is being tested.

You’re all set to connect at this moment. Connect to the server using your preferred PSRemoting cmdlets, such as Invoke-Command or Enter-PSSession, and utilize the UseSSL argument.

-ComputerName ServerB.domain.com -UseSSL -Credential Enter-PSSession -ComputerName ServerB.domain.com -UseSSL -Credential (Get-Credential)

Always double-check that the ComputerName option is set to the same value as the common name used during certificate generation. If you try to connect to a different hostname or IP address, you’ll get a certificate mismatch error, which will result in a connection failure.

Certificate-Based Authentication Setup

You should have a WinRM listener configured to utilize HTTPS by now. If that’s the case, you may also log in as a local user on the distant server using a user authentication certificate. One of the more secure methods is to utilize a user certificate, but it takes some time to set up. Because each certificate is unique to the specific client computer, you’ll discover that it’s a lot of repetitive labor.

Local user accounts, not domain users, are the only ones who may employ certificate-based authentication.

Assuming you requested a certificate for Client Authentication as covered in the The Request for a Certificate section, read on:

Authenticating with a Certificate and Mapping the User on the Server

  1. Run the Set-Item command on the server to enable certificate-based authentication.

WSMan:localhostServiceAuthCertificate -Value $true Set-Item

2. Then, in the Trusted Root Certification Authorities store, execute Get-ChildItem to obtain the thumbprint of the CA that issued the client authentication certificate. To do so, look for certificates with a topic that includes your CA’s name.

Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.Subject -like ‘CA-Name’}

3. Run the command below, where SubjectName is the topic of the user certificate you specified when you created the certificate.

The CAThumbprint is the thumbprint of the CA, which was obtained with the previous operation, and the credentials are the username and password of the local user who will be used for certificate-based authentication.

WSMan:localhostClientCertificate -Subject SubjectName -URI * -Issuer CAThumbprint -Credential New-Item WSMan:localhostClientCertificate -Subject SubjectName -URI * -Issuer CAThumbprint -Credential (Get-Credential)

Certificate-Based Authentication is being put to the test.

Use the certificate on the client computer to authenticate without supplying credentials now that the certificate to user mapping has been set up.

In PowerShell, search in the Personal certificate store for the thumbprint of the client certificate.

Cert:CurrentUserMyGet-ChildItem

Now, in a PSRemoting command like the one below, provide the thumbprint in the CertificateThumbprint option.

Enter-PSSession -ComputerName ServerName -CertificateThumbprint <Thumbprint>

Because certificate-based authentication may only be used with an HTTPS listener, -UseSSL is implicit, unlike other authentication methods that require you to explicitly mention SSL.

Steps to Follow

Learn more about PSRemoting in our PowerShell Remoting: The Ultimate Guide article now that you’ve learned how to set up WinRM over SSL.

Are you interested in learning more about PowerShell in general, as well as a lot about PSRemoting? Check out the book PowerShell for Sysadmins!

.Subject -like ‘CA-Name’ | Get-ChildItem Cert:LocalMachineRoot

3. Run the command below, where SubjectName is the topic of the user certificate you specified when you created the certificate.

The CAThumbprint is the thumbprint of the CA, which was obtained with the previous operation, and the credentials are the username and password of the local user who will be used for certificate-based authentication.

WSMan:localhostClientCertificate -Subject SubjectName -URI * -Issuer CAThumbprint -Credential New-Item WSMan:localhostClientCertificate -Subject SubjectName -URI * -Issuer CAThumbprint -Credential (Get-Credential)

Certificate-Based Authentication is being put to the test.

Use the certificate on the client computer to authenticate without supplying credentials now that the certificate to user mapping has been set up.

In PowerShell, search in the Personal certificate store for the thumbprint of the client certificate.

Cert:CurrentUserMyGet-ChildItem

Now, in a PSRemoting command like the one below, provide the thumbprint in the CertificateThumbprint option.

Enter-PSSession -ComputerName ServerName -CertificateThumbprint <Thumbprint>

Because certificate-based authentication may only be used with an HTTPS listener, -UseSSL is implicit, unlike other authentication methods that require you to explicitly mention SSL.

Steps to Follow

Learn more about PSRemoting in our PowerShell Remoting: The Ultimate Guide article now that you’ve learned how to set up WinRM over SSL.

Are you interested in learning more about PowerShell in general, as well as a lot about PSRemoting? Check out the book PowerShell for Sysadmins!

The “winrm create winrm/config/listener?address=*+transport=https” is a command-line tool that allows you to set up PSRemoting with WinRM and SSL. This article will walk through the steps needed to set it up.

Frequently Asked Questions

How do I enable HTTPS in WinRM?

A: To enable SSL or TLS on WinRM, you need to specify the necessary certificates through config.cmdlets.ServerCertificate and ServerAuthentication using the following syntax.

How do I enable WinRM and PSRemoting?

A: To enable WinRM and PSRemoting for servers, open the Windows Firewall Control Panel. Select Allow an app or feature through Windows Firewall from the list of firewall profiles on the left side of this window. You can enter a program name to search for in your default programs if you are having difficulty locating it. Once located, select Allow access and click Change Settings underneath that entry to complete enabling those settings.

How do I configure WinRM listener?

A: You can configure the WinRM listener by running winrm quickconfig from an elevated command prompt.

Related Tags

  • enable winrm powershell
  • how to enable 5986 port in windows
  • winrm ssl port
  • winrm create winrm/config/service/certmapping
  • winrm set certificate thumbprint