Https with winrm - Openwsman/openwsman GitHub Wiki

Using HTTPS with WinRM (Windows Remote Management)

This description has been put together by Sanjeev Putta. Thanks Sanjeev !

  1. From this link use the First FOUR Steps only.

  2. Verify the generated Self-Signed Certificate

    openssl verify server.crt

The output will be as shown below:

server.crt:/C=US/ST=California/L=San Jose/O=ABCD Corporation/OU=Engineering/CN=HostName Or IPAddress/emailAddress
error 18 at 0 depth lookup:self signed certificate
OK

Do not worry of "error 18 at 0 depth lookup:self signed certificate". It basically says that this is a self-signed certificate.

  1. Convert the certificate from crt to pkcs12 format

For Windows Server, the certificate should be in pkcs12 format. The command to convert is as follows:

openssl pkcs12 -export -in server.crt -inkey server.key -out hostname.pfx

It will ask for the following:

Enter Export Password:
Verifying - Enter Export Password:

Please enter the password and remember as this is required while importing the certificate on Windows Server and Client.

  1. Finally, make a copy of server.crt

    cp server.crt hostname.pem

In Linux, the certificate should be .pem, since .crt and .pem are same, so there is no need to use openssl command to convert from .crt to .pem, just make a copy.

  1. Installing the Certificate on Windows Server:

5.1. You can install using MMC on Windows. If you need instructions for this I can send you. 5.2. After Installing on Windows, right click on the certificate and select properties. A dialog box appears and select Enable only the following purposes

Enable "Server Authentication" and disable everything else.

Note: In openssl there should be command to create a self-signed certificate for Server Authentication only that I do not know yet. If this can be done using openssl, then there is no need for (5.2)

  1. Installing the Certificate on Linux Client: Copy hostname.pem from Step 4 to /etc/ssl/certs on SUSE Linux

6.1 Go to /etc/ssl/certs on SUSE Linux

6.2 Create a Hash value by running the following command:

openssl x509 -noout -hash -in hostname.pem

Output it will print a value such as 100940db

6.3 Create a symbolic link to the hash value by running the following command:

ln -s hostname.pem 100940db.0

6.4 After configuring Windows WinRM Service, the following command can be used to verify if the certificate is installed correctly on Linux.

curl -v --capath /etc/ssl/certs https://Hostname or IPAddress:5986/wsman

If it fails it will provide appropriate error.