SSL Cert for Powershell Remoting - 2018 approach advice?

Welcome Forums General PowerShell Q&A SSL Cert for Powershell Remoting - 2018 approach advice?

This topic contains 6 replies, has 4 voices, and was last updated by

 
Participant
1 month, 1 week ago.

  • Author
    Posts
  • #120613

    Participant
    Points: 40
    Rank: Member

    I am currently working in a non-domain environment where my I can connect to remote machines over site-to-site VPN on some occasions but worst-case it must but over the internet.  I am working through the Secret of Powershell Remoting book and I am in the section about creating an SSL cert.

    I was looking at using ZeroSSL or LetsEncrypt to keep costs down.  ZeroSSL isn't giving me many options on the "server role" choices.  It is basically prompting me for a domain.  Has anyone used these services for an SSL cert to be used in a similar manner?  If so, can you provide guidance on the Certificate creation parameters?

    I guess I am not sure how to approach the domain problem when I have a bunch of "loose" endpoints. Besides paying $$ for a SSL cert from digicert (or similar) with an "Other" role for the server.

     

     

  • #120663

    Participant
    Points: 312
    Helping Hand
    Rank: Contributor

    Well, PKI is  whole conversation by itself and using it the right way with PS and remoting is a regular conversation.

    If you are not using a public cert, then you have to get you cert on each remote host you plan on hitting and then being able to update them when they expire.

    https://www.netometer.com/blog/?p=1758

    Along with the resource(s) you are already using, there are lots of articles on the topic, for example:

    https://blogs.technet.microsoft.com/uktechnet/2016/02/11/configuring-winrm-over-https-to-enable-powershell-remoting

    https://blogs.technet.microsoft.com/scotts-it-blog/2014/12/30/working-with-certificates-in-powershell

    PowerShell Remoting over HTTPS with a self-signed SSL certificate

    I don't have anything specific for ZeroSSL, but here is info you can leverage for LetsEncrypt.

    Get a free publicly trusted certificate using Let's Encrypt, PowerShell and DNS

    Improved Powershell script for Let's Encrypt certificate renewals

    • #120843

      Participant
      Points: 40
      Rank: Member

      Thank you for the reply. You've provided me with several additional resources to help guide my journey so I better get to reading.  I appreciate all the help.

  • #120738

    Participant
    Points: 819
    Helping Hand
    Rank: Major Contributor

    Did you try openssl ? I use it to create certificate when I don't want to pay for it and its having a ton f options which makes almost all use cases possible.

    • #120846

      Participant
      Points: 40
      Rank: Member

      I will definitely check out OpenSSL as a provider.  Thank you for the suggestion.

  • #120867

    Participant
    Points: 21
    Rank: Member

    While it's not obvious at first sight, you can generate self-signed certificates with the Certificates MMC snap-in. My UI is in french but I will try to translate : right-click on your personal certificates folder, all tasks => advanced operations => create a custom request. Then once you're asked to choose an enrollment strategy, choose "Continue without enrollment strategy". On the next window you have to choose the key generation model and certificate request format, leave it as default (CNG and PKCS#10 respectively). You can choose to check the "Remove default extensions" checkbox if you so desire.

    Then you're provided with the certificate properties window, where you can choose whatever properties you want, mark/unmark some extensions as critical, define the extended key usage, validity period, and many other things. Once you have finished and clicked next, at some point you will be asked where to save an offline certificate request file, save it wherever you want, you won't need it afterwards and can delete it.

    Once the process is finished, go to your certificate requests folder, your self-signed certificate is inside, drag it to your personal certificates folder, and voilà, you have your own custom, self-signed certificate, with its associated private key.

    HTH,

  • #120892

    Participant
    Points: 312
    Helping Hand
    Rank: Contributor

    You can create a Self-Signed cert directly using PS as well.

    # you need PSv4x to do this
    # Open PS as admin

    $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.domain.com
    $pwd = ConvertTo-SecureString -String 'passw0rd!' -Force -AsPlainText
    $path = 'cert:\localMachine\my\' + $cert.thumbprint Export-PfxCertificate -cert $path -FilePath c:\temp\cert.pfx -Password $pwd
    

    Note that the c:\temp directory, or whatever directory you specify in the -FilePath parameter, must already exist. You can now import the cert.pfx file to install the certificate.

    If you on a legacy version, the makecert or .Net is the way to do this.

    https://msdn.microsoft.com/library/windows/desktop/aa386968.aspx
    https://social.technet.microsoft.com/wiki/contents/articles/4714.how-to-generate-a-self-signed-certificate-using-powershell.aspx

    In either case, any non-public cert, for the remote host to trust it, you still must install it there in the appropriate store.

You must be logged in to reply to this topic.