Abstract: For security reasons you wish to configure Windows Remote Management (WinRM) on your Windows 2012 R2 OS to use an SSL certificate.
This is for example required if an the Skype for Business (SfB) environment should be hardened and this action requires the following steps:
Preparation:
At first check if WinRM is already running via https. To do that open a powershell (run as admin) an enter:
Get-ChildItem WSMan:\localhost\Client\DefaultPorts
This will show the default configured ports like:
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client\DefaultPorts Type Name SourceOfValue Value ---- ---- ------------- ----- System.String HTTP 5985 System.String HTTPS 5986
As you know the default/configured port now, you can check the function via telnet “telnet localhost 5986”.
Steps to implement WinHTTPS for WinRM:
1.) At first create an appropriate SSL certificate (you can use MMC and the Certificate Snapin to request that from your internal Microsoft CA). As friendly name you can choose “WinRM Certificate” or something which fits your company guidelines. As CN I used the full qualified hostname. Additional to that I added the IP address and the DNS names as an alias. The certificate usage must be “Server Authentication”.
2.) Once you have the needed certificate open a Windows Powershell (run as admin) and search for the thumbprint via:
Get-ChildItem -Path cert: -Recurse | select Subject, FriendlyName, Thumbprint | Format-List
or
Get-ChildItem -Path cert: -Recurse | select FriendlyName, Thumbprint | Format-List
or
Get-ChildItem -path cert:\LocalMachine\My
It will show the SSL certificates you have on your system. Make sure that you pick up the correct one and make a note from the thumbprint from the certifcate.
3.) Now run a CMD as admin and run:
C:\Windows\system32>winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”server01.int.contoso.com”;CertificateThumbprint=”1C60E58F827A6F16F1ADD93C76A2BB1EE9431F15″}
which will output something like:
ResourceCreated Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous ReferenceParameters ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener SelectorSet Selector: Address = *, Transport = HTTPS
Note: If you do the same action inside a powershell you will get an error like:
PS C:\Windows\system32> winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="server01.int.contoso.com";CertificateThumbprint="1C60E58F827A6F16F1ADD93C76A2BB1EE9431F15"} Error: Invalid use of command line. Type "winrm -?" for help.
if you picked the wrong certificate here you can fix that via:
winrm set winrm/config/service @{CertificateThumbprint=”1C60E58F827A6F16F1ADD93C76A2BB1EE9431F15″}
4.) If you have enabled the Windows OS firewall, you might need to create a rule for https WinRM via:
New-NetFirewallRule -DisplayName “Windows Remote Management (HTTPS-In)” -Name “Windows Remote Management (HTTPS-In)” -Profile Any -LocalPort 5986 -Protocol TCP
Created with the help from:
https://blogs.technet.microsoft.com/heyscriptingguy/2013/11/27/powertip-use-powershell-to-discover-certificate-thumbprints/
https://blogs.msdn.microsoft.com/wmi/2009/03/17/three-ways-to-configure-winrm-listeners/
https://support.microsoft.com/en-us/kb/2019527