Automatic HTTPS WinRM Listener creation

Automatic HTTPS WinRM Listener creation

In this post I will show you how to create a HTTPS WinRM listener that is using a certificate issued by your own MS PKI.

The requirements are the following:
– An Active Directory domain
– An Enterprise MS PKI
– Powershell 5

The first step is to create a certificate template that will be used to create the WinRM listener certificates on your machines.

Open a mmc console, load the snap-in Certificate template, duplicate the Web server cert template and configure the new template as shown below:

In the following example, I have selected a computer object as a target of my certificate deployment. In your env, you can use your own AD group with the following permissions:

Now you can open your CA mmc snap-in and publish this new template:

In that example, I have used the default Domain Policy. It is only as an example. As a best pratice, you will have to create a new GPO with these settings:

After running the command gpupdate /force on the target computer, you will receive the new WinRM cert based on the template we have created above:

So now, we have :
– created the cert template
– publish the template on the Active Directory domain
– auto enroll a computer = deploy the new certificate based on the WinRM cert template

Script syntax
PS:\> winrmScript.ps1 -WinRMCertTemplateName "WinRM Listener"

Before launching the script, we can create a simple HTTP WinRM listener. This listener will be automatically deleted by the script. The script will do the same on the target machine if the WinRM listener has been configured with HTTPS but with a certificate not issued using our template.

Let’s test :
– create the HTTP WinRM listener and check it has been created as expected

We are now ready to run the script on the target computer to create the HTTPS WinRM listener:

As you see in the screenshot above, the HTTP listener has been deleted and the new HTTPS listener has been created using the certificate issued by the PKI.

Do not hesitate to leave a comment or ask if you have any questions.


My Powershell script categories

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.