-
Notifications
You must be signed in to change notification settings - Fork 14
Configuring Windows PowerShell remoting
Options:
- buy it
- generate self-signed certificate
In all examples below HOSTNAME must be replaced with either remote server host name or IP that will be used to connect that server, e.g. srv1.mycompany.com or 32.53.2.87.
If you have IIS 7/8 installed on remote server using IIS Manager is the simplest way to generate self-signed SSL certificate:
- Open IIS Manager.
- Select the top most machine node in Connections pane.
- Click Server Certificates in Details pane.
- Click Create Self-Signed Certificate... in Actions pane.
- Specify HOSTNAME as certificate friendly name.
- Select Personal as certificate store.
The following guide is based on this MSDN article.
Makecert.exe is a part of Windows SDK and if you have Visual Studio .NET installed you already have both makecert.exe and pvk2pfx.exe tools.
Open Visual Studio command prompt in elevated mode (Run as Administrator...).
Navigate to some folder where certificate files will be created:
cd c:\mycertificates
Create a certificate and a private key file, and then convert those files into a .pfx:
makecert -r -pe -n "CN=HOSTNAME" -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sv HOSTNAME.pvk HOSTNAME.cer
pvk2pfx -pvk HOSTNAME.pvk -spc HOSTNAME.cer -pfx HOSTNAME.pfx
Exported PFX will have an empty password.
Import PFX on remote server as explained below.
Download OpenSSL for Windows. Package Win32 OpenSSL vx.x.x Light is more than enough for generating SSL certificate.
[ v3_ca ]
extendedKeyUsage = serverAuth
set OPENSSL_CONF=C:\Utils\OpenSSL-Win32\bin\openssl.cfg
Generate self-signed certificate with a new private key:
openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout HOSTNAME.key -out HOSTNAME.cer -subj "/CN=HOSTNAME"
Convert certificate and private key to .PFX:
openssl pkcs12 -export -out HOSTNAME.pfx -inkey HOSTNAME.key -in HOSTNAME.cer -name "HOSTNAME" -passout pass:
Exported PFX will have an empty password.
Import PFX on remote server as explained below.
Enable-PSRemoting
Set-ExecutionPolicy RemoteSigned
function Install-Certificate ($certPath, [string]$storeLocation = "LocalMachine", [string]$storeName = "My")
{
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath, "", "MachineKeySet,PersistKeySet")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($storeName, $storeLocation)
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()
"Thumbprint: $($cert.Thumbprint)"
}
Install-Certificate <path-to-pfx-file>
Get certificate thumbrint:
Get-ChildItem cert:\LocalMachine\My | Where-Object { $_.Subject -eq "CN=HOSTNAME" }
Add WinRM HTTPS listener:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOSTNAME";CertificateThumbprint="THUMBPRINT"}
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986
winrm set winrm/config/client @{TrustedHosts="*"}
Invoke-Command -ComputerName HOSTNAME -Port 5986 -Credential (Get-Credential) `
-UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -ScriptBlock { Get-Date }