Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

PowerShell remoting over HTTPS using self-signed SSL certificate

This is a step by step guide and will show you how to use HTTPS port  and self signed SSL certificate while using Powershell Remoting. On the PSRemoting regards I had already written one article in the past POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS, When you use WinRM PSRemoting, it uses default HTTP 5985 port for connection and SSL is not used, If I try to use Enter-PSSession command with -UseSSL syntax which Indicates that it will use Secure Sockets Layer (SSL) protocol to establish a connection to the remote computer. WS-Management encrypts all Windows PowerShell content transmitted over the network. If you use this parameter, but SSL is not configured, the command fails with below error.

Enter-PSSession -ComputerName <FQDN_IP> -UseSSL 

Enter-PSSession : Connecting to remote server psserver01 failed with the following error message : The client cannot
connect to the destination specified in the request. Verify that the service on the destination is running and is
accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most
commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName psserver01 -UseSSL
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (psserver01:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Series
POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS
PowerShell remoting over HTTPS using self-signed SSL certificate
Configure Powershell WinRM to use OpenSSL generated Self-Signed certificate
Powershell WinRM HTTPs CA signed certificate configuration
Powershell Generate Self-signed certificate with Self-Signed Root CA Signer

The -UseSSL parameter is an additional protection that sends the data across an HTTPS connection instead of an HTTP connection. If I don't use -UseSSL parameter everything is successful as you can see on below screenshot.

Powershell as administrator hostname environment env computername Enter-PSSession -ComputerName -UseSSL WinRM Service IIS winrm quickconfig ssl certificate port 5985 and 5986 psremoting error successful.png

To start configuring SSL certificate, first step is requirement of certificate, which can be self signed or CA certificate. As this is a Lab proof of concept (POC), I am using powershell command to create one cert, Dns name should be matching current hostname as DNSName for self-signed certificate.

$hostName = $env:COMPUTERNAME
$serverCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName $hostName

Verify the thumbprint of the newly created certificate, it is located under Local machine personal certificate store.

$serverCert 

Powershell As Administrator $env COMPUTERNAME  New-SelfSignedCertificate -CertStoreLocation -DnsName Personal Certificate ssl ThumbPrint Powershell remoting winrm wsman self signed SSL certificate MMC.png

Creation of self signed SSL certificate is successful and it will be needed on the last steps, I am exporting it on remote share drive using below command.

Export-Certificate -Cert $serverCert -FilePath \\fileshare\cert\PsRemoting-Cert.cer

Next verify and check on fileshare for exported certificate that is exported successfully.

Get-ChildItem \\fileshare\Cert\PsRemoting-Cert.cer

You can enable powershell remoting now, Although this command might not be required to run on newer version of windows OS, because remoting is by default enabled.

Enable-PSRemoting -Force

Running above command will update WinRM for remote management, WinRM service type will set and change to delayed auto start and it will be started, and in the last 
It creates a WinRM listener on https://* to accept WS-Man requests to any IP for this machine, we will start working on it

Default TCP ports for Powershell Remoting are HTTP - 5985 and HTTPS - 5986. You will always find one default listener (PS-Remoting endpoint) created with name {Transport=HTTPs, Address=*}. Below command helps to view the listener, it is located under PSDrive WsMan.

Get-ChildItem wsman:\localhost\Listener

Windows Powershell Export-Certificate -cert filepath get-childitem ssl https certificate Enable-PSRemoting -Force Get-childitem tranport http powershel remoting psremote winrm.png

I am going to remove this default HTTP listener. for security reason I will only use HTTPS port to connect. HTTPS can coexist with HTTP.

Get-ChildItem wsman:\localhost\Listener\ | Where-Object -Property Keys -eq 'Transport=HTTP' | Remove-Item -Recurse

Re-verify that no listener is available, running below command again.

Get-ChildItem wsman:\localhost\Listener

Create a new listener with previously created SSL certificate. 

New-Item -Path WSMan:\localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbPrint $serverCert.Thumbprint -Force

Rerun the command to verify new setting on the listener, There should be new HTTPS listener created.

Get-ChildItem wsman:\localhost\Listener

Administrator Windows Powershell Get-Childitem wsman listener psdrive transport http remove-item -recurse where-Object keys WSMAN psremoting wsmanconfig management New-item certificate thumbprint.png

Although I have disabled firewall completely on my lab server, but in case windows software Firewall is enabled in your environment on the server, you will need to create a new rule in firewall to allow traffic through TCP port number 5986. It will be Inbound rule for Windows Remote Management via WS-Management. [TCP 5986].

New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP

You can verify the same on Windows Firewall with Advanced Security, Inbound rules settings.

Microsoft Powershell Net-NetFirewallRule Windows Firewall with Advanced Security -Displayname -profile -LocalPort 5986 -Protocol TCP Psremoting winrm wsman configuration ssl https certificate Self Signed.png

Although restarting WinRM service is not required, but still restart it using command to take effect, you can also use Services.msc - Windows Remote Management (WS-Management).

Restart-Service WinRM

Microsoft Windows Powershell command administration remoting psremoting winrm restart-service -name WinRM Services local restart stop Widnows remote management (ws-management) ssl self singed certificate.png

On the other computer from where you want to try remote use command Enter-PSSession <ComputerName> -UseSSL, it might fail again, it will show another error message. As we removed default listener in earlier commands, remoting will not even work without -UseSSL syntax.

Enter-PSSession : Connecting to remote server psserver01 failed with the following error message : The server
certificate on the destination computer (psserver01:5986) has the following errors:
The SSL certificate is signed by an unknown certificate authority. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession adserver001 -UseSSL
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (adserver001:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

This error is receiving because certificate is self signed and not trusted, for a testing purpose we can skip certificate check to test PSRemoting as below.

$sessionOptions = New-PSSessionOption -SkipCACheck
Enter-PSSession -ComputerName <FQDN_HostName> -UseSSL -SessionOption $sessionOptions

Microsoft Windows Powershell Hostname Enter-PSSession -UseSSL -SessionOption New-PSSessionOption -SkipCACheck .png Remote winrm management  wsman psdrive psprovider Powershell remoting psremoting ws-man

Above command add one line to the script, to avoid it, if you have admin access you can trust the self-signed cert, you will need it to import to Trusted Root Certification Authorities, run command.

Import-Certificate -FilePath \\fileshare\Cert\PsRemoting-Cert.cer -CertStoreLocation Cert:\LocalMachine\root\

Once imported verifiy the certificate thumbprint and try psremoting.

Enter-PSSession -Computername <FQDN> -UseSSL

Powershell windows Administrator Import-Certificate -FilePath -CertStoreLocation Cert psdrive psprovider ssl certificate https 5986 thumbprint Enter-PSSession -UseSSL Trusted Root Certification authorities.png

Useful Articles
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

Go Back



Comment

Blog Search

Page Views

2819893

Follow me on Blogarama