Can we use a wildcard certificate to configure WinRM with HTTPS?
Technically, yes.
Keep in mind that the point of SSL with WinRM isn’t to provide encryption - that’s a side effect. The main point is to uniquely and positively identify the server, thus making spoofing more difficult. You just have to decide if a wildcard certificate meets that business need in your organization.
The thing is
winrm create winrm/config/listener?Address=+Transport=HTTPS @{Hostname=".myDomain.local";CertificateThumbprint=“52D1x0x6x0x2xCx8x5x2x4x1x3x7xFx1x9x4x0x6”}
this happens: winrm : Error: Invalid use of command line. Type “winrm -?” for help.
What I’ve found is that de @hash part must be inside single quotes.
winrm create winrm/config/Listener?Address=+Transport=HTTPS ‘@{Port=“8888”}’ #Works!
winrm create winrm/config/Listener?Address=+Transport=HTTPS @{Port=“8888”} #Doesn’t!
I know this because I have a no wildcard certificate and I can create a HTTPS listener without problems with default configuration, changing the port number.
If I use the single quotes ‘@{…}’ nothing happens! No HTTPs listener is created.
the subject of my wildcard certificate is E = blablabla@mail.pt
CN = *.mydomain.local, OU = aaaaaa, O = AA, L = Lisbon, S = Lisbon, C = PT
and it’s valid…
Hmm. I’ll have to research that a bit when I get some time. It’s possible WinRM is rejecting the certificate because it really is intended to uniquely identify the server. A wildcard certificate doesn’t do identity the same way as a non-wildcard cert, obviously.
The single/double quotes behavior is expected. Winrm.exe isn’t a PowerShell command; it’s running under Cmd.exe, so it kind of has its own rules.
Ok! “…isn’t a PowerShell command” This is the Key!
So, either run it in the command prompt
winrm create winrm/config/listener?Address=+Transport=HTTPS @{Hostname=".myDomain.local"; CertificateThumbprint=“xxx”}
or inside PowerShell
#region Any of these do NOT work! winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"} winrm create winrm/config/listener?Address=*+Transport=HTTPS '@{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"}' $_params = '@{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"}' winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params #endregion Does NOT work! #region These both WORK! #Using literal string $_params = @" @{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"} "@ winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params #--- #Escaping @ { } " WORKS! winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{Hostname=`"*.myDomain.local`"`; CertificateThumbprint=`"xxx`"`} #endregion These both WORK!
Thanks!
IT WORKS!