Automatically reconfigure WinRM HTTPS listener with new certificate?

https powershell remote-access winrm credssp

Solution 1:

I have recently put together a short script in order to do the same thing you are trying to accomplish, here are the relevant parts. Be aware that you will get an error at the end as the Invoke-Command is going to reset the WinRM service while you are waiting for the result of the Restart-Service command...

$yourCred = Get-Credential domain\account
$yourServer = "your.server.fqdn"

$LatestThumb = Invoke-Command -ComputerName $yourServer `
                            -Credential $yourCred `
                            -ScriptBlock {
                                Get-ChildItem -Path Cert:\LocalMachine\My |
                                Where-Object {$_.subject -match "CN=$yourServer"} |
                                Sort-Object -Property NotAfter |
                                Select-Object -Last 1 -ExpandProperty Thumbprint
                            }

Set-WSManInstance -ResourceURI winrm/config/Listener `
                  -SelectorSet @{Address="*";Transport="HTTPS"} `
                  -ComputerName $yourServer `
                  -Credential $yourCred `
                  -ValueSet @{CertificateThumbprint=$LatestThumb}

Invoke-Command -ComputerName $yourServer `
               -Credential $yourCred `
               -ScriptBlock { Restart-Service -Force -Name WinRM }

This is running against Server 2008 R2, with Posh v3. I would bet it works against Server 2012, but it may need some work for v2.

Solution 2:

You would normally use the Set-WSManQuickConfig -UseSSL command to configure the SSL certificate on the WinRM service. Alternatively, you can manually use Set-Item to configure the thumbprint on the WinRM service. See below for an example.

Set-Location -Path WSMan:\localhost\Service;
Set-Item -Path .\CertificateThumbprint -Value 'THUMBPRINT';

NOTE: Make sure that you are deploying the latest version of the Windows Management Framework Core (includes PowerShell). I recently encountered an issue with a customer where the Set-WSManQuickConfig cmdlet was not correctly identifying a valid SSL certificate in the certificate store.

Solution 3:

I realize this post is old, but I wanted to share a solution I came up with. On our CA, I created a Certificate Template that renews with the same key. compatibility settings must be CA server 2012 R2 or higher, to get the option for Renew with the same key. I made the Cert Auto Enroll.

here is the script I put together. I created an SCCM package that runs it on a schedule.

if (dir wsman:\localhost\listener | where {$_.Keys -like "Transport=https*"})
{
Write-Host "Already enabled"
exit
}
Else
{
#Variables
$zone = ".yourdomain.com"
$fqdn = "$env:computername$zone"
$Thumbprint = certutil -store My "Cert Template Name" | findstr /c:"Cert Hash(sha1)"
# removing cert hash(sha1): and the space after it
$discard,$keep=$Thumbprint.split(":")
$TP = $Keep -replace '\s',''
#enable WinRM HTTPS
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="'"$fqdn"'"; CertificateThumbprint="'"$TP"'"}'
}

Hopefully this helps anyone thats looking to implement this domain wide.

Related

Why is this tee losing stdout?
What's the default hash format / algorithm of Active Directory?
Hardware vendors to avoid
How do I add permissions to group to match user permissions?
Are 6Gb/s SAS drives compatible with 3Gb/s SAS interfaces?
How can I password prompt certain IPs and allow all others free access using Apache?
How to migrate Samba User Accounts to a new linux server?
hashicorp vault - load pre-existing CA certificate into PKI engine
How can I check if IP is a Tor exit node?
Automatic subdomain wildcard for DHCP-DDNS additions?
Is an MX-record required on a domain to send emails only?
nginx 404 instead of 403 for empty directory