Author Posts

September 28, 2015 at 9:13 am

Can we use a wildcard certificate to configure WinRM with HTTPS?

September 28, 2015 at 9:25 am

Technically, yes.

Keep in mind that the point of SSL with WinRM isn't to provide encryption – that's a side effect. The main point is to uniquely and positively identify the server, thus making spoofing more difficult. You just have to decide if a wildcard certificate meets that business need in your organization.

September 28, 2015 at 9:42 am

The thing is
winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.myDomain.local";CertificateThumbprint="‎52D1x0x6x0x2xCx8x5x2x4x1x3x7xFx1x9x4x0x6"}
this happens: winrm : Error: Invalid use of command line. Type "winrm -?" for help.

What I've found is that de @hash part must be inside single quotes.
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Port="8888"}' #Works!
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="8888"} #Doesn't!

I know this because I have a *no* wildcard certificate and I can create a HTTPS listener without problems with default configuration, changing the port number.

If I use the single quotes '@{...}' nothing happens! No HTTPs listener is created.
the subject of my wildcard certificate is E = blablabla@mail.pt
CN = *.mydomain.local, OU = aaaaaa, O = AA, L = Lisbon, S = Lisbon, C = PT

and it's valid...

September 28, 2015 at 9:51 am

Hmm. I'll have to research that a bit when I get some time. It's possible WinRM is rejecting the certificate because it really is _intended_ to uniquely identify the server. A wildcard certificate doesn't do identity the same way as a non-wildcard cert, obviously.

The single/double quotes behavior is expected. Winrm.exe isn't a PowerShell command; it's running under Cmd.exe, so it kind of has its own rules.

September 29, 2015 at 1:47 am

Ok! "...isn't a PowerShell command" This is the Key! 🙂

So, either run it in the command prompt
winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"}
or inside PowerShell

#region Any of these do NOT work!
winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}
winrm create winrm/config/listener?Address=*+Transport=HTTPS '@{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}'
$_params = '@{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}'
winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params
#endregion Does NOT work!

#region These both WORK!
#Using literal string
$_params = @"
@{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"}
"@
winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params
#---
#Escaping @ { } " WORKS!
winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{Hostname=`"*.myDomain.local`"`; CertificateThumbprint=`"xxx`"`}
#endregion These both WORK!

Thanks!
IT WORKS!