Enable SSL for WS-Management
Enable SSL management for WS-Man with a cert and a few lines of PowerShell.
February 14, 2016
Q. How do I enable SSL for WS-Management?
A. To enable SSL for HTTPS based Windows Remote Management you require a certificate that matches the name that clients will be connecting using. While you could use makecert.exe this is not a good idea since it will not be trusted by the clients who will need to connect using SkipCNCheck option which defeats the point of mutual authentication since the certificate cannot be trusted. Instead use a certificate from your internal certificate authority or from an external trusted certificate authority. The certificate should of type SSL certificate, also referred to as a web server certificate. Ensure that common name of the certificate is exactly matching the name that will be used to connect to the server, for example the fully qualified domain name. Once you have the certificate and it is installed in the local machines store perform the following in an elevated PowerShell session:
Find the thumbprint of the certificate you will use. The easiest way is to navigate the certificate provider and look in the LocalMachineMy store. View all the items (Get-ChildItem) and make a note of the thumbprint or simply store in a variable
$cert = Get-ChildItem cert:LocalMachineMy
You can examine the thumbprint with $cert.thumbprintCreate the new HTTPS listener using the full hostname and the certificate thumbprint, for example:
New-WSManInstance winrm/config/Listener `
-SelectorSet @{Address='*';Transport='HTTPS'} `
-ValueSet @{HostName='workgroupsrv.savilltech.net';CertificateThumbprint=$cert.thumbprint}The final step is to create a firewall exception for port 5986 which is the port used for SSL management:
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" `
-Profile Any -LocalPort 5986 -Protocol TCP
You will now be able to connect to the machine using SSL which also requires passing a credential, e.g.
$cred=get-credentialEnter-PSSession workgroupsrv.savilltech.net -Credential $cred -UseSSL
Note the name you connect to must match the common name of the certificate.
About the Author
You May Also Like