winrm, HTTPS, wildcard certificate

pedro-casalinho · September 28, 2015, 3:43am

Can we use a wildcard certificate to configure WinRM with HTTPS?

donj · September 28, 2015, 3:55am

Technically, yes.

Keep in mind that the point of SSL with WinRM isn’t to provide encryption - that’s a side effect. The main point is to uniquely and positively identify the server, thus making spoofing more difficult. You just have to decide if a wildcard certificate meets that business need in your organization.

pedro-casalinho · September 28, 2015, 4:12am

The thing is
winrm create winrm/config/listener?Address=+Transport=HTTPS @{Hostname=".myDomain.local";CertificateThumbprint=“‎52D1x0x6x0x2xCx8x5x2x4x1x3x7xFx1x9x4x0x6”}
this happens: winrm : Error: Invalid use of command line. Type “winrm -?” for help.

What I’ve found is that de @hash part must be inside single quotes.
winrm create winrm/config/Listener?Address=+Transport=HTTPS ‘@{Port=“8888”}’ #Works! winrm create winrm/config/Listener?Address=+Transport=HTTPS @{Port=“8888”} #Doesn’t!

I know this because I have a no wildcard certificate and I can create a HTTPS listener without problems with default configuration, changing the port number.

If I use the single quotes ‘@{…}’ nothing happens! No HTTPs listener is created.
the subject of my wildcard certificate is E = blablabla@mail.pt CN = *.mydomain.local, OU = aaaaaa, O = AA, L = Lisbon, S = Lisbon, C = PT
and it’s valid…

donj · September 28, 2015, 4:21am

Hmm. I’ll have to research that a bit when I get some time. It’s possible WinRM is rejecting the certificate because it really is intended to uniquely identify the server. A wildcard certificate doesn’t do identity the same way as a non-wildcard cert, obviously.

The single/double quotes behavior is expected. Winrm.exe isn’t a PowerShell command; it’s running under Cmd.exe, so it kind of has its own rules.

pedro-casalinho · September 28, 2015, 8:17pm

Ok! “…isn’t a PowerShell command” This is the Key!

So, either run it in the command prompt
winrm create winrm/config/listener?Address=+Transport=HTTPS @{Hostname=".myDomain.local"; CertificateThumbprint=“xxx”}
or inside PowerShell

#region Any of these do NOT work!
winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}
winrm create winrm/config/listener?Address=*+Transport=HTTPS '@{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}'
$_params = '@{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}'
winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params
#endregion Does NOT work!

#region These both WORK!
#Using literal string
$_params = @"
@{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"}
"@
winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params
#---
#Escaping @ { } " WORKS!
winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{Hostname=`"*.myDomain.local`"`; CertificateThumbprint=`"xxx`"`}
#endregion These both WORK!

Thanks!
IT WORKS!

Topic		Replies	Views
Winrm configuration PowerShell Help	3	156	April 6, 2015
Certificate Authentication in Workgroup PowerShell Help	1	150	July 19, 2019
WinRM connection over SSL fails Win7 client to Server 2012 R2 PowerShell Help	10	172	April 6, 2016
Understanding PowerShell Remoting via HTTPS PowerShell Help	3	130	January 11, 2018
Not able to create HTTP listener in windows 7 pc PowerShell Help	8	117	January 12, 2014

winrm, HTTPS, wildcard certificate

Related Topics