Certificates used by remoting have the following requirements:
- The subject must contain the computer name (without a domain)
- The certificate must support the server authentication enhanced key usage
- The certificate must not be expired, revoked, or self-signed
If a certificate that meets these requirements is present, the Set-WSManQuickConfig command may be used:
Set-WSManQuickConfig -UseSSL
HTTPS listeners may be viewed as follows:
PS> Get-ChildItem WSMan:localhostListener* | Where-Object { (Get-Item "$($_.PSPath)Transport").Value -eq 'HTTPS' }
WSManConfig: Microsoft.WSMan.ManagementWSMan::localhostListener
Type Keys Name
---- ---- ----
Container {Transport=HTTPS, Address=*} Listener_1305953032
The preceding example may be extended by exploring the properties for the listener:
Get-ChildItem WSMan:localhostListener | ForEach-Object { $listener = $_ | Select-Object Name Get-ChildItem $_.PSPath | ForEach-Object { $listener | Add-Member $_.Name $_.Value } $listener } | Where-Object Transport -eq 'HTTPS'
The self-signed certificate can be assigned in this manner, but for an SSL connection to succeed, the client must trust, the certificate. Without trust the following error is shown:
PS> Invoke-Command -ScriptBlock { Get-Process } -ComputerName $env:COMPUTERNAME -UseSSL
[SSLTEST] Connecting to remote server SSLTEST failed with the following error message : The server certificate on the destination computer (SSLTEST:5986) has the following errors:
The SSL certificate is signed by an unknown certificate authority. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (SSLTEST:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : 12175,PSSessionStateBroken
A number of options are available to bypass this option:
- Disable certificate verification
- Add the certificate from the remote server to the local root certificate store
Disabling certificate verification can be achieved by configuring the options of a PS session:
$options = New-PSSessionOption -SkipCACheck $session = New-PSSession computerName -SessionOptions $options
Either of the preceding options will allow the connection to complete. This can be verified using Test-WSMan:
Test-WSMan -UseSSL
If a new certificate is obtained, the certificate for the listener may be replaced by using Set-Item:
Set-Item WSMan:localhostListenerListener_1305953032CertificateThumbprint 'D8D2F174EE1C37F7C2021C9B7EB6FEE3CB1B9A41'