Series

POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS

PowerShell remoting over HTTPS using self-signed SSL certificate

Configure Powershell WinRM to use OpenSSL generated Self-Signed certificate

Powershell WinRM HTTPs CA signed certificate configuration

This guide is second part of PowerShell remoting over HTTPS using self-signed SSL certificate, It will not only show how to configure WinRM to use SSL certificate quickly but also will show how you can generate self sign ssl certificate using OpenSSL tool. You can download OpenSSL tool from url https://slproweb.com/products/Win32OpenSSL.html, for further OpenSSL configuration check Generate new self-signed certificates for ESXi using OpenSSL To create new cert, below is the openssl configuration readymade template can be used, you just need to replace bold text as per your requirement. Copy below content in notepad and save it as extension .cnf filename. I am using hostname as file name - psremote002.cnf.

[ req ]

default_md = sha512

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:false

keyUsage = digitalSignature, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:"psremote002.vcloud-lab.com", DNS:"psremote002", IP:"192.168.34.14"

[ req_distinguished_name ]

countryName = IN

stateOrProvinceName = MH

localityName = Pune

0.organizationName = vcloud-lab.com

organizationalUnitName = Information Technology

commonName = psremote002.vcloud-lab.com

[ alt_names ]

DNS.1 = psremote002.vcloud-lab.com

DNS.2 = psremote002

IP.1 = 192.168.34.14

First generate a 2048 bit private key. A private key is one half of the public/private key pair used in digital certificates.

openssl genrsa -out Priv.key 2048

Generate a CSR file using private key and configuration file .cnf. A certificate signing request (CSR) is one of the first steps towards getting your own SSL Certificate.

openssl req -new -key Priv.key -out Request.csr -config psremote002.cnf

Use private key file, csr file and cnf file to generate new actual SSL certificate it will have crt extension, Certificate version will be 3 and it will be valid for 1 year.

openssl x509 -req -days 365 -signkey Priv.key -in Request.csr -out NewCertificate.crt -extensions v3_req -extfile psremote002.cnf

Certificate is generated but we need pfx file which will include private key and ssl certificate crt file, you need to specify password also. Remember this password for later use. PFX - stands for personal exchange format.

openssl pkcs12 -export -inkey Priv.key -in NewCertificate.crt -out FinalCertificate.pfx -passout pass:123456

Import the pfx certificate to computers personal certificate store, where you are activating HTTPS powershell remoting. Use the same password used while generating PFX file.

$certificate = Import-PfxCertificate -FilePath C:\temp\cert\FinalCertificate.pfx -CertStoreLocation Cert:\LocalMachine\my -Password (ConvertTo-SecureString -AsPlainText -String 123456 -Force)

Verify thumbprint of imported certificate.

$certificate

Next configure WinRM Powershell Remoting protocol, by creating a new HTTPS listener with imported pfx certificate. It is suggested to delete HTTP Listener completely and use only SSL HTTPS connection.

New-Item -Path WSMan:\localhost\Listener -Transport HTTPS- Address * -CertificateThumbPrint $certificate.Thumbprint -Force

There should be two listeners now HTTP and HTTPS, Verfiy them using command below.

Get-ChildItem WSMan:\localhost\Listener

I am importing pfx certificate on another computer to trust it, I am using share path to access pfx cert, It need to be imported to Trusted Root Certification Authorities location on certificate store. Always verify thumbprint for integrity of ssl certificate.

Import-PfxCertificate -FilePath \\192.168.34.14\c$\temp\cert\FinalCertificate.pfx -CertStoreLocaion Cert:\LocalMachine\Root -Password (ConverTo-SecureString -AsPlainText -String 123456 -Force)

Incase if you want to use IP address instead of fqdn or hostname to connect over PSRemoting, Use PSSessionOption with SkipCNCheck, Use SkipCACheck if you don't want to import certificate.

$sessionOptions = New-PSSessionOption -SkipCNCheck

Enter-PSSession -ComputerName 192.168.34.14 -UseSSL -SessionOption $sessionOptions -Credential vCloud-lab.com\kunal

Run some command ie hostname or ipconfig (Get-NetIPAddress) to verify you have connected successfully from remote computer.

Useful Articles

Generate new self-signed certificates for ESXi using OpenSSL

Push SSL certificates to client computers using Group Policy

Replacing a default ESXi certificate with a CA-Signed certificate

Troubleshooting replacing a corrupted certificate on Esxi server

How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi

How to replace default vCenter VMCA certificate with Microsoft CA signed certificate