Https with winrm - Openwsman/openwsman GitHub Wiki
Using HTTPS with WinRM (Windows Remote Management)
This description has been put together by Sanjeev Putta. Thanks Sanjeev !
-
From this link use the First FOUR Steps only.
-
Verify the generated Self-Signed Certificate
openssl verify server.crt
The output will be as shown below:
server.crt:/C=US/ST=California/L=San Jose/O=ABCD Corporation/OU=Engineering/CN=HostName Or IPAddress/emailAddress
error 18 at 0 depth lookup:self signed certificate
OK
Do not worry of "error 18 at 0 depth lookup:self signed certificate". It basically says that this is a self-signed certificate.
- Convert the certificate from
crt
topkcs12
format
For Windows Server, the certificate should be in pkcs12 format. The command to convert is as follows:
openssl pkcs12 -export -in server.crt -inkey server.key -out hostname.pfx
It will ask for the following:
Enter Export Password:
Verifying - Enter Export Password:
Please enter the password and remember as this is required while importing the certificate on Windows Server and Client.
-
Finally, make a copy of server.crt
cp server.crt hostname.pem
In Linux, the certificate should be .pem
, since .crt
and .pem
are same, so there is no need to use openssl command to convert from .crt
to .pem
, just make a copy.
- Installing the Certificate on Windows Server:
5.1. You can install using MMC on Windows. If you need instructions for this I can send you.
5.2. After Installing on Windows, right click on the certificate and select properties.
A dialog box appears and select Enable only the following purposes
Enable "Server Authentication" and disable everything else.
Note: In openssl there should be command to create a self-signed certificate for Server Authentication only that I do not know yet. If this can be done using openssl, then there is no need for (5.2)
- Installing the Certificate on Linux Client:
Copy
hostname.pem
from Step 4 to/etc/ssl/certs
on SUSE Linux
6.1 Go to /etc/ssl/certs
on SUSE Linux
6.2 Create a Hash value by running the following command:
openssl x509 -noout -hash -in hostname.pem
Output it will print a value such as 100940db
6.3 Create a symbolic link to the hash value by running the following command:
ln -s hostname.pem 100940db.0
6.4 After configuring Windows WinRM Service, the following command can be used to verify if the certificate is installed correctly on Linux.
curl -v --capath /etc/ssl/certs https://Hostname or IPAddress:5986/wsman
If it fails it will provide appropriate error.