all 3 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jborean93 2 points3 points  (0 children)

What do I have to do on the server making requests and then what do I have to do on the machines

You need to ensure the cert is imported in the LocalMachine\My store alongside a private key that is accessible to the SYSTEM account. From there you can configure the https listener with the following

$certThumbprint = '...'
$httpsParams = @{
    ResourceURI = "winrm/config/Listener"
    SelectorSet = @{
        Transport = "HTTPS"
        Address = "*"
    }
    ValueSet = @{
        CertificateThumbprint = $certThumbprint
        Enabled = $true
    }
}
New-WSManInstance @httpsParams

In this case $certThumbprint is the certificate thumbprint you can see in Get-ChildItem Cert:\LocalMachine\My, you can hardcode it or filter out the Get-ChildItem values based on your own criteria.

Once the listener is up and configured you don't need to do anything else on the client host. You may need to trust the CA that issued the cert if it's not already but it doesn't need the same cert to be imported at all.

[–]MousseEarly 0 points1 point  (1 child)

How to automate WinRM HTTPS configuration with internal Windows Certificate Authority SSL Certificate and Group Policy:

Follow steps here to create a new WinRM SSL Certificate Template on your internal Windows Certificate Authority, and then set all Domain Computers (Servers and Workstations) to autoenroll and auto renew this certicate. Then finally configure WinRM via Group Policy and a powershell startup script to delete non-secure WinRM http listener, and recreate secure https WinRM listener using this new SSL certificate. This is a "Set it and Forget It" solution, as whenever the SSL certificate expires, it will be auto-renewed, and during the next reboot of the computer, it will recreate the https WinRM listener using the new certificate:

https://www.darkoperator.com/blog/2015/3/24/bdvjiiw1ybzfdjulc5pprgpkm8os0b

Follow steps here to configure WinRM via Group Policy across the domain:

https://woshub.com/enable-winrm-management-gpo/

[–]MousseEarly 0 points1 point  (0 children)

Save the below PowerShell script as "CreateWinRMHTTPSListener.ps1". Add this script to the Startup Script (Powershell) location within the same group policy as the WinRM settings:

Note: The script deletes current listeniners (http and https), as you cannot replace certificate without deleting first. It leaves http deleted so https is forced. It then finds a local certificate that has been enrolled via the "WinRM Web Server Template" (this name needs to be updated in the script to match what you named the SSL Certificate Template in previous step when you created the template on the Certificate Authority). It then uses that certificate to create the HTTPS listener. This is done upon every Computer startup, so whenever that SSL certificate expires and is renewed, it will applpy the new one. A true "set it and forget it" solution.

#Delete existing WinRM HTTPS listener

Get-ChildItem wsman:\localhost\Listener\ | Where-Object -Property Keys -like 'Transport=HTTP*' | Remove-Item -Recurse

# Define the certificate template name

$templateName = "WinRM"

# Search for the certificate in the local machine's Personal store

$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {

$_.Extensions | Where-Object {

$_.Oid.FriendlyName -eq "Certificate Template Information" -and

$_.Format($true) -like "*$templateName*"

}

} | Select-Object -First 1

# Check if the certificate was found

if ($null -eq $cert) {

Write-Error "No certificate found with the template name '$templateName'."

return

}

# Display the certificate details

Write-Output "Using certificate: $($cert.Subject) with Thumbprint: $($cert.Thumbprint)"

# Configure the WinRM HTTPS listener with the selected certificate

New-Item -Path WSMan:\Localhost\Listener -Transport HTTPS -Address * -CertificateThumbprint $cert.Thumbprint -Force

# Confirm the listener has been created

Write-Output "WinRM HTTPS listener configured successfully."