Automatically reconfigure WinRM HTTPS listener with new certificate?

powershell https remote-access winrm credssp

21,320

Solution 1

I have recently put together a short script in order to do the same thing you are trying to accomplish, here are the relevant parts. Be aware that you will get an error at the end as the Invoke-Command is going to reset the WinRM service while you are waiting for the result of the Restart-Service command...

$yourCred = Get-Credential domain\account
$yourServer = "your.server.fqdn"

$LatestThumb = Invoke-Command -ComputerName $yourServer `
                            -Credential $yourCred `
                            -ScriptBlock {
                                Get-ChildItem -Path Cert:\LocalMachine\My |
                                Where-Object {$_.subject -match "CN=$yourServer"} |
                                Sort-Object -Property NotAfter |
                                Select-Object -Last 1 -ExpandProperty Thumbprint
                            }

Set-WSManInstance -ResourceURI winrm/config/Listener `
                  -SelectorSet @{Address="*";Transport="HTTPS"} `
                  -ComputerName $yourServer `
                  -Credential $yourCred `
                  -ValueSet @{CertificateThumbprint=$LatestThumb}

Invoke-Command -ComputerName $yourServer `
               -Credential $yourCred `
               -ScriptBlock { Restart-Service -Force -Name WinRM }

This is running against Server 2008 R2, with Posh v3. I would bet it works against Server 2012, but it may need some work for v2.

Solution 2

You would normally use the Set-WSManQuickConfig -UseSSL command to configure the SSL certificate on the WinRM service. Alternatively, you can manually use Set-Item to configure the thumbprint on the WinRM service. See below for an example.

Set-Location -Path WSMan:\localhost\Service;
Set-Item -Path .\CertificateThumbprint -Value 'THUMBPRINT';

NOTE: Make sure that you are deploying the latest version of the Windows Management Framework Core (includes PowerShell). I recently encountered an issue with a customer where the Set-WSManQuickConfig cmdlet was not correctly identifying a valid SSL certificate in the certificate store.

Solution 3

I realize this post is old, but I wanted to share a solution I came up with. On our CA, I created a Certificate Template that renews with the same key. compatibility settings must be CA server 2012 R2 or higher, to get the option for Renew with the same key. I made the Cert Auto Enroll.

here is the script I put together. I created an SCCM package that runs it on a schedule.

if (dir wsman:\localhost\listener | where {$_.Keys -like "Transport=https*"})
{
Write-Host "Already enabled"
exit
}
Else
{
#Variables
$zone = ".yourdomain.com"
$fqdn = "$env:computername$zone"
$Thumbprint = certutil -store My "Cert Template Name" | findstr /c:"Cert Hash(sha1)"
# removing cert hash(sha1): and the space after it
$discard,$keep=$Thumbprint.split(":")
$TP = $Keep -replace '\s',''
#enable WinRM HTTPS
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="'"$fqdn"'"; CertificateThumbprint="'"$TP"'"}'
}

Hopefully this helps anyone thats looking to implement this domain wide.

21,320

Jared

Updated on September 18, 2022

Comments

Jared over 1 year

I am looking to enable WinRM HTTPS listeners on all of our servers for secure communication when using CredSSP between servers to get around the double-hop issue.

Setting this up is fine, we have CN-appropriate certificates from an internal CA so the initial setup of the listeners is fine and works great. The only thing is these certificates are only valid for 1 year, so once they expire we'll need to re-configure the listeners on each server, as the auto-enrollment of the server certificates does not modify the cert thumbprint in the WinRM configuration.

Has anyone encountered a nice solution to this issue?
- Ryan Ries about 10 years
  
  WinRM and/or Powershell remoting evolves very quickly - the procedure for Windows 2008 R2 is likely unrecognizable from the equivalent procedure in 2012, and different still in 2012 R2. So it would help if you told us the exact version of OS you have. Also, read the section "Automating WinRM Configuration" in this article: support.microsoft.com/kb/2019527
- Jared about 10 years
  
  Running a mix of 2008 SP2, 2008 R2, and 2012. Currently in the process of upgrading as much as we can to 2012. The initial config on Server 2012 works great using "winrm quickconfig -transport:https" but once the certificate that it chooses is deleted/replaced, you have to manually clean up the thumbprint out of the WinRM config before re-running that command will grab the new cert.
AntoineL almost 3 years

Unless I am missing something, your script only sets the certificate when there is none (that is, what Set-WSManQuickConfig -UseSSL essentially does), it does not do anything when the old —and potentially expired— one is replaced with a new one and the WinRM Listener needs to be reconfigured.
Admin almost 2 years

What's the purpose of renewing a certificate with the same key after it expired? Circumventing the expiry date that another admin configured?
Admin almost 2 years

WSMan:\localhost\Service\CertificateThumbprint is only half the story. Each HTTPS listener has its own certificate thumbprint. Modifying it for the service won't overwrite it for the listeners.