Set-WSManQuickConfig

Certificates used by remoting have the following requirements:

  • The subject must contain the computer name (without a domain).
  • The certificate must support the server authentication enhanced key usage.
  • The certificate must not be expired, revoked, or self-signed.

If a certificate that meets these requirements is present, the Set-WSManQuickConfig command may be used:

Set-WSManQuickConfig -UseSSL

HTTPS listeners may be viewed as follows:

PS> Get-ChildItem WSMan:localhostListener* |
>>    Where-Object { (Get-Item "$($_.PSPath)Transport").Value -eq 'HTTPS' }

WSManConfig: Microsoft.WSMan.ManagementWSMan::localhostListener

Type      Keys                         Name
----      ----                         ----
Container {Transport=HTTPS, Address=*} Listener_1305953032

The preceding example may be extended by exploring the properties for the listener:

Get-ChildItem WSMan:localhostListener | ForEach-Object { 
    $listener = $_ | Select-Object Name 
    Get-ChildItem $_.PSPath | ForEach-Object { 
        $listener | Add-Member $_.Name $_.Value 
    } 
    $listener 
} | Where-Object Transport -eq 'HTTPS'

The self-signed certificate can be assigned in this manner, but, for an SSL connection to succeed, the client must trust the certificate. Without trust, the following error is shown:

PS> Invoke-Command -ScriptBlock { Get-Process } -ComputerName $env:COMPUTERNAME -UseSSL

[SSLTEST] Connecting to remote server SSLTEST failed with the following error message : The server certificate on the destination computer (SSLTEST:5986) has the following errors:
The SSL certificate is signed by an unknown certificate authority. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (SSLTEST:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : 12175,PSSessionStateBroken

A number of options are available to bypass this option:

  • Disable certificate verification.
  • Add the certificate from the remote server to the local root certificate store.

Disabling certificate verification can be achieved by configuring the options of a PSSession:

$options = New-PSSessionOption -SkipCACheck 
$session = New-PSSession computerName -SessionOption $options

Either of the preceding options will allow the connection to complete. This can be verified using Test-WSMan:

Test-WSMan -UseSSL

If a new certificate is obtained, the certificate for the listener may be replaced by using Set-Item:

$params = @{
    Path  = 'WSMan:localhostListenerListener_1305953032CertificateThumbprint'
    Value = 'D8D2F174EE1C37F7C2021C9B7EB6FEE3CB1B9A41'
}
Set-Item @params
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.140.186.201