Automatically reconfigure WinRM HTTPS listener with new certificate?

Solution 1:

I have recently put together a short script in order to do the same thing you are trying to accomplish, here are the relevant parts. Be aware that you will get an error at the end as the Invoke-Command is going to reset the WinRM service while you are waiting for the result of the Restart-Service command...

$yourCred = Get-Credential domain\account
$yourServer = "your.server.fqdn"

$LatestThumb = Invoke-Command -ComputerName $yourServer `
                            -Credential $yourCred `
                            -ScriptBlock {
                                Get-ChildItem -Path Cert:\LocalMachine\My |
                                Where-Object {$_.subject -match "CN=$yourServer"} |
                                Sort-Object -Property NotAfter |
                                Select-Object -Last 1 -ExpandProperty Thumbprint
                            }

Set-WSManInstance -ResourceURI winrm/config/Listener `
                  -SelectorSet @{Address="*";Transport="HTTPS"} `
                  -ComputerName $yourServer `
                  -Credential $yourCred `
                  -ValueSet @{CertificateThumbprint=$LatestThumb}

Invoke-Command -ComputerName $yourServer `
               -Credential $yourCred `
               -ScriptBlock { Restart-Service -Force -Name WinRM }

This is running against Server 2008 R2, with Posh v3. I would bet it works against Server 2012, but it may need some work for v2.

Solution 2:

You would normally use the Set-WSManQuickConfig -UseSSL command to configure the SSL certificate on the WinRM service. Alternatively, you can manually use Set-Item to configure the thumbprint on the WinRM service. See below for an example.

Set-Location -Path WSMan:\localhost\Service;
Set-Item -Path .\CertificateThumbprint -Value 'THUMBPRINT';

NOTE: Make sure that you are deploying the latest version of the Windows Management Framework Core (includes PowerShell). I recently encountered an issue with a customer where the Set-WSManQuickConfig cmdlet was not correctly identifying a valid SSL certificate in the certificate store.

Solution 3:

I realize this post is old, but I wanted to share a solution I came up with. On our CA, I created a Certificate Template that renews with the same key. compatibility settings must be CA server 2012 R2 or higher, to get the option for Renew with the same key. I made the Cert Auto Enroll.

here is the script I put together. I created an SCCM package that runs it on a schedule.

if (dir wsman:\localhost\listener | where {$_.Keys -like "Transport=https*"})
{
Write-Host "Already enabled"
exit
}
Else
{
#Variables
$zone = ".yourdomain.com"
$fqdn = "$env:computername$zone"
$Thumbprint = certutil -store My "Cert Template Name" | findstr /c:"Cert Hash(sha1)"
# removing cert hash(sha1): and the space after it
$discard,$keep=$Thumbprint.split(":")
$TP = $Keep -replace '\s',''
#enable WinRM HTTPS
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="'"$fqdn"'"; CertificateThumbprint="'"$TP"'"}'
}

Hopefully this helps anyone thats looking to implement this domain wide.