winrm, HTTPS, wildcard certificate


This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of Pedro Casalinho Pedro Casalinho 1 year ago.

  • Author
  • #30187
    Profile photo of Pedro Casalinho
    Pedro Casalinho

    Can we use a wildcard certificate to configure WinRM with HTTPS?

  • #30189
    Profile photo of Don Jones
    Don Jones

    Technically, yes.

    Keep in mind that the point of SSL with WinRM isn't to provide encryption – that's a side effect. The main point is to uniquely and positively identify the server, thus making spoofing more difficult. You just have to decide if a wildcard certificate meets that business need in your organization.

  • #30193
    Profile photo of Pedro Casalinho
    Pedro Casalinho

    The thing is
    winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.myDomain.local";CertificateThumbprint="‎52D1x0x6x0x2xCx8x5x2x4x1x3x7xFx1x9x4x0x6"}
    this happens: winrm : Error: Invalid use of command line. Type "winrm -?" for help.

    What I've found is that de @hash part must be inside single quotes.
    winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Port="8888"}' #Works!
    winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="8888"} #Doesn't!

    I know this because I have a *no* wildcard certificate and I can create a HTTPS listener without problems with default configuration, changing the port number.

    If I use the single quotes '@{...}' nothing happens! No HTTPs listener is created.
    the subject of my wildcard certificate is E =
    CN = *.mydomain.local, OU = aaaaaa, O = AA, L = Lisbon, S = Lisbon, C = PT

    and it's valid...

  • #30194
    Profile photo of Don Jones
    Don Jones

    Hmm. I'll have to research that a bit when I get some time. It's possible WinRM is rejecting the certificate because it really is _intended_ to uniquely identify the server. A wildcard certificate doesn't do identity the same way as a non-wildcard cert, obviously.

    The single/double quotes behavior is expected. Winrm.exe isn't a PowerShell command; it's running under Cmd.exe, so it kind of has its own rules.

  • #30208
    Profile photo of Pedro Casalinho
    Pedro Casalinho

    Ok! "...isn't a PowerShell command" This is the Key! 🙂

    So, either run it in the command prompt
    winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"}
    or inside PowerShell

    #region Any of these do NOT work!
    winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}
    winrm create winrm/config/listener?Address=*+Transport=HTTPS '@{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}'
    $_params = '@{Hostname="*.myDomain.local"; CertificateThumbprint="‎xxx"}'
    winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params
    #endregion Does NOT work!
    #region These both WORK!
    #Using literal string
    $_params = @"
    @{Hostname="*.myDomain.local"; CertificateThumbprint="xxx"}
    winrm create winrm/config/listener?Address=*+Transport=HTTPS $_params
    #Escaping @ { } " WORKS!
    winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{Hostname=`"*.myDomain.local`"`; CertificateThumbprint=`"xxx`"`}
    #endregion These both WORK!


You must be logged in to reply to this topic.