SSL Cert for Powershell Remoting - 2018 approach advice?

I am currently working in a non-domain environment where my I can connect to remote machines over site-to-site VPN on some occasions but worst-case it must but over the internet. I am working through the Secret of Powershell Remoting book and I am in the section about creating an SSL cert.

I was looking at using ZeroSSL or LetsEncrypt to keep costs down. ZeroSSL isn’t giving me many options on the “server role” choices. It is basically prompting me for a domain. Has anyone used these services for an SSL cert to be used in a similar manner? If so, can you provide guidance on the Certificate creation parameters?

I guess I am not sure how to approach the domain problem when I have a bunch of “loose” endpoints. Besides paying $$ for a SSL cert from digicert (or similar) with an “Other” role for the server.

 

 

Well, PKI is whole conversation by itself and using it the right way with PS and remoting is a regular conversation.

If you are not using a public cert, then you have to get you cert on each remote host you plan on hitting and then being able to update them when they expire.

https://www.netometer.com/blog/?p=1758

Along with the resource(s) you are already using, there are lots of articles on the topic, for example:

https://blogs.technet.microsoft.com/uktechnet/2016/02/11/configuring-winrm-over-https-to-enable-powershell-remoting

https://blogs.technet.microsoft.com/scotts-it-blog/2014/12/30/working-with-certificates-in-powershell

https://4sysops.com/archives/powershell-remoting-over-https-with-a-self-signed-ssl-certificate

I don’t have anything specific for ZeroSSL, but here is info you can leverage for LetsEncrypt.

https://mssec.wordpress.com/2017/12/04/get-a-free-publicly-trusted-certificate-using-lets-encrypt-powershell-and-dns

https://www.virtualtothecore.com/en/improved-powershell-script-encrypt-certificate-renewals

Did you try openssl ? I use it to create certificate when I don’t want to pay for it and its having a ton f options which makes almost all use cases possible.

Thank you for the reply. You’ve provided me with several additional resources to help guide my journey so I better get to reading. I appreciate all the help.

I will definitely check out OpenSSL as a provider. Thank you for the suggestion.

While it’s not obvious at first sight, you can generate self-signed certificates with the Certificates MMC snap-in. My UI is in french but I will try to translate : right-click on your personal certificates folder, all tasks => advanced operations => create a custom request. Then once you’re asked to choose an enrollment strategy, choose “Continue without enrollment strategy”. On the next window you have to choose the key generation model and certificate request format, leave it as default (CNG and PKCS#10 respectively). You can choose to check the “Remove default extensions” checkbox if you so desire.

Then you’re provided with the certificate properties window, where you can choose whatever properties you want, mark/unmark some extensions as critical, define the extended key usage, validity period, and many other things. Once you have finished and clicked next, at some point you will be asked where to save an offline certificate request file, save it wherever you want, you won’t need it afterwards and can delete it.

Once the process is finished, go to your certificate requests folder, your self-signed certificate is inside, drag it to your personal certificates folder, and voilà, you have your own custom, self-signed certificate, with its associated private key.

HTH,

You can create a Self-Signed cert directly using PS as well.

you need PSv4x to do this

Open PS as admin

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.domain.com
$pwd = ConvertTo-SecureString -String 'passw0rd!' -Force -AsPlainText
$path = 'cert:\localMachine\my\' + $cert.thumbprint Export-PfxCertificate -cert $path -FilePath c:\temp\cert.pfx -Password $pwd

Note that the c:\temp directory, or whatever directory you specify in the -FilePath parameter, must already exist. You can now import the cert.pfx file to install the certificate.

If you on a legacy version, the makecert or .Net is the way to do this.

https://msdn.microsoft.com/library/windows/desktop/aa386968.aspx https://social.technet.microsoft.com/wiki/contents/articles/4714.how-to-generate-a-self-signed-certificate-using-powershell.aspx

In either case, any non-public cert, for the remote host to trust it, you still must install it there in the appropriate store.