Enable SSL for WS-Management

Enable SSL for WS-Management

Q. How do I enable SSL for WS-Management?

A. To enable SSL for HTTPS based Windows Remote Management you require a certificate that matches the name that clients will be connecting using. While you could use makecert.exe this is not a good idea since it will not be trusted by the clients who will need to connect using SkipCNCheck option which defeats the point of mutual authentication since the certificate cannot be trusted. Instead use a certificate from your internal certificate authority or from an external trusted certificate authority. The certificate should of type SSL certificate, also referred to as a web server certificate. Ensure that common name of the certificate is exactly matching the name that will be used to connect to the server, for example the fully qualified domain name. Once you have the certificate and it is installed in the local machines store perform the following in an elevated PowerShell session:

  1. Find the thumbprint of the certificate you will use. The easiest way is to navigate the certificate provider and look in the \LocalMachine\My store. View all the items (Get-ChildItem) and make a note of the thumbprint or simply store in a variable
    $cert = Get-ChildItem cert:\LocalMachine\My
    You can examine the thumbprint with $cert.thumbprint
  2. Create the new HTTPS listener using the full hostname and the certificate thumbprint, for example:
    New-WSManInstance winrm/config/Listener `
    -SelectorSet @{Address='*';Transport='HTTPS'} `
    -ValueSet @{HostName='workgroupsrv.savilltech.net';CertificateThumbprint=$cert.thumbprint}
  3. The final step is to create a firewall exception for port 5986 which is the port used for SSL management:
    New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" `
    -Profile Any -LocalPort 5986 -Protocol TCP

You will now be able to connect to the machine using SSL which also requires passing a credential, e.g.

$cred=get-credential
Enter-PSSession workgroupsrv.savilltech.net -Credential $cred -UseSSL 

Note the name you connect to must match the common name of the certificate.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish