winrm, HTTPS, wildcard certificate

Can we use a wildcard certificate to configure WinRM with HTTPS?

Technically, yes.

Keep in mind that the point of SSL with WinRM isn’t to provide encryption - that’s a side effect. The main point is to uniquely and positively identify the server, thus making spoofing more difficult. You just have to decide if a wildcard certificate meets that business need in your organization.

The thing is
winrm create winrm/config/listener?Address=+Transport=HTTPS @{Hostname=".myDomain.local";CertificateThumbprint=“‎52D1x0x6x0x2xCx8x5x2x4x1x3x7xFx1x9x4x0x6”}
this happens: winrm : Error: Invalid use of command line. Type “winrm -?” for help.

What I’ve found is that de @hash part must be inside single quotes.
winrm create winrm/config/Listener?Address=+Transport=HTTPS ‘@{Port=“8888”}’ #Works!
winrm create winrm/config/Listener?Address=
+Transport=HTTPS @{Port=“8888”} #Doesn’t!

I know this because I have a no wildcard certificate and I can create a HTTPS listener without problems with default configuration, changing the port number.

If I use the single quotes ‘@{…}’ nothing happens! No HTTPs listener is created.
the subject of my wildcard certificate is E =
CN = *.mydomain.local, OU = aaaaaa, O = AA, L = Lisbon, S = Lisbon, C = PT

and it’s valid…

Hmm. I’ll have to research that a bit when I get some time. It’s possible WinRM is rejecting the certificate because it really is intended to uniquely identify the server. A wildcard certificate doesn’t do identity the same way as a non-wildcard cert, obviously.

The single/double quotes behavior is expected. Winrm.exe isn’t a PowerShell command; it’s running under Cmd.exe, so it kind of has its own rules.

Ok! “…isn’t a PowerShell command” This is the Key! :slight_smile:

So, either run it in the command prompt
winrm create winrm/config/listener?Address=+Transport=HTTPS @{Hostname=".myDomain.local"; CertificateThumbprint=“xxx”}
or inside PowerShell

#region Any of these do NOT work!
winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}
winrm create winrm/config/listener?Address=*+Transport=HTTPS '@{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}'
$_params = '@{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}'
winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params
#endregion Does NOT work!

#region These both WORK!
#Using literal string
$_params = @"
@{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"}
winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params
#Escaping @ { } " WORKS!
winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{Hostname=`"*.myDomain.local`"`; CertificateThumbprint=`"xxx`"`}
#endregion These both WORK!