This is a step by step guide and will show you how to use HTTPS port and self signed SSL certificate while using Powershell Remoting. On the PSRemoting regards I had already written one article in the past POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS, When you use WinRM PSRemoting, it uses default HTTP 5985 port for connection and SSL is not used, If I try to use Enter-PSSession command with -UseSSL syntax which Indicates that it will use Secure Sockets Layer (SSL) protocol to establish a connection to the remote computer. WS-Management encrypts all Windows PowerShell content transmitted over the network. If you use this parameter, but SSL is not configured, the command fails with below error.

Enter-PSSession -ComputerName <FQDN_IP> -UseSSL

Enter-PSSession : Connecting to remote server psserver01 failed with the following error message : The client cannot

connect to the destination specified in the request. Verify that the service on the destination is running and is

accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most

commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to

analyze and configure the WinRM service: "winrm quickconfig". For more information, see the

about_Remote_Troubleshooting Help topic.

At line:1 char:1

+ Enter-PSSession -ComputerName psserver01 -UseSSL

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidArgument: (psserver01:String) [Enter-PSSession], PSRemotingTransportException

+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Series

POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS

PowerShell remoting over HTTPS using self-signed SSL certificate

Configure Powershell WinRM to use OpenSSL generated Self-Signed certificate

Powershell WinRM HTTPs CA signed certificate configuration

Powershell Generate Self-signed certificate with Self-Signed Root CA Signer

The -UseSSL parameter is an additional protection that sends the data across an HTTPS connection instead of an HTTP connection. If I don't use -UseSSL parameter everything is successful as you can see on below screenshot.

To start configuring SSL certificate, first step is requirement of certificate, which can be self signed or CA certificate. As this is a Lab proof of concept (POC), I am using powershell command to create one cert, Dns name should be matching current hostname as DNSName for self-signed certificate.

$hostName = $env:COMPUTERNAME

$serverCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName $hostName

Verify the thumbprint of the newly created certificate, it is located under Local machine personal certificate store.

$serverCert

Creation of self signed SSL certificate is successful and it will be needed on the last steps, I am exporting it on remote share drive using below command.

Export-Certificate -Cert $serverCert -FilePath \\fileshare\cert\PsRemoting-Cert.cer

Next verify and check on fileshare for exported certificate that is exported successfully.

Get-ChildItem \\fileshare\Cert\PsRemoting-Cert.cer

You can enable powershell remoting now, Although this command might not be required to run on newer version of windows OS, because remoting is by default enabled.

Enable-PSRemoting -Force

Running above command will update WinRM for remote management, WinRM service type will set and change to delayed auto start and it will be started, and in the last

It creates a WinRM listener on https://* to accept WS-Man requests to any IP for this machine, we will start working on it

Default TCP ports for Powershell Remoting are HTTP - 5985 and HTTPS - 5986. You will always find one default listener (PS-Remoting endpoint) created with name {Transport=HTTPs, Address=*}. Below command helps to view the listener, it is located under PSDrive WsMan.

Get-ChildItem wsman:\localhost\Listener

I am going to remove this default HTTP listener. for security reason I will only use HTTPS port to connect. HTTPS can coexist with HTTP.

Get-ChildItem wsman:\localhost\Listener\ | Where-Object -Property Keys -eq 'Transport=HTTP' | Remove-Item -Recurse

Re-verify that no listener is available, running below command again.

Get-ChildItem wsman:\localhost\Listener

Create a new listener with previously created SSL certificate.

New-Item -Path WSMan:\localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbPrint $serverCert.Thumbprint -Force

Rerun the command to verify new setting on the listener, There should be new HTTPS listener created.

Get-ChildItem wsman:\localhost\Listener

Although I have disabled firewall completely on my lab server, but in case windows software Firewall is enabled in your environment on the server, you will need to create a new rule in firewall to allow traffic through TCP port number 5986. It will be Inbound rule for Windows Remote Management via WS-Management. [TCP 5986].

New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP

You can verify the same on Windows Firewall with Advanced Security, Inbound rules settings.

Although restarting WinRM service is not required, but still restart it using command to take effect, you can also use Services.msc - Windows Remote Management (WS-Management).

Restart-Service WinRM

On the other computer from where you want to try remote use command Enter-PSSession <ComputerName> -UseSSL, it might fail again, it will show another error message. As we removed default listener in earlier commands, remoting will not even work without -UseSSL syntax.

Enter-PSSession : Connecting to remote server psserver01 failed with the following error message : The server

certificate on the destination computer (psserver01:5986) has the following errors:

The SSL certificate is signed by an unknown certificate authority. For more information, see the

about_Remote_Troubleshooting Help topic.

At line:1 char:1

+ Enter-PSSession adserver001 -UseSSL

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidArgument: (adserver001:String) [Enter-PSSession], PSRemotingTransportException

+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

This error is receiving because certificate is self signed and not trusted, for a testing purpose we can skip certificate check to test PSRemoting as below.

$sessionOptions = New-PSSessionOption -SkipCACheck

Enter-PSSession -ComputerName <FQDN_HostName> -UseSSL -SessionOption $sessionOptions

Above command add one line to the script, to avoid it, if you have admin access you can trust the self-signed cert, you will need it to import to Trusted Root Certification Authorities, run command.

Import-Certificate -FilePath \\fileshare\Cert\PsRemoting-Cert.cer -CertStoreLocation Cert:\LocalMachine\root\

Once imported verifiy the certificate thumbprint and try psremoting.

Enter-PSSession -Computername <FQDN> -UseSSL

Useful Articles

Generate new self-signed certificates for ESXi using OpenSSL

Push SSL certificates to client computers using Group Policy

Replacing a default ESXi certificate with a CA-Signed certificate

Troubleshooting replacing a corrupted certificate on Esxi server

How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi

How to replace default vCenter VMCA certificate with Microsoft CA signed certificate