ssl - How to enable WinRM HTTPS transport? -

i know server need self-signed ca. how can generate ca, , can put make server's powershell 2.0 work? , cn matching?

the following happens when run command winrm quickconfig -transport:https:

winrm set receive requests on machine. wsmanfault message     providerfault         wsmanfault             message  error number:  -2144108267 0x80338115 cannot create winrm listener on https because machine not  have appropriate certificate. used ssl, certificate  must have cn matching hostname, appropriate  server authentication, , not expired, revoked, or self-signed.

unless want go trouble of setting full-fledged single-tier or two-tier pki infrastructure (which topic serverfault rather stackoverflow) make makecert.exe create self-signed ca certificate , host certificates signed it.

create ca certificate this:

& makecert.exe -pe -r `     -n "cn=testca" `     -ss `     -sr localmachine `     -a sha256 `     -sky signature `     "testca.cer" 

then create certificate host:

$cn = if ($env:userdnsdomain) {         "$env:computername.$env:userdnsdomain"       } else {         $env:computername       }  & makecert.exe -pe `     -n "cn=$cn" `     -ss `     -sr localmachine `     -a sha256 `     -sky exchange `     -eku 1.3.6.1.5.5.7.3.1 `     -in "testca" `     -is `     -ir localmachine `     -sp "microsoft rsa schannel cryptographic provider" `     -sy 12 `     "$cn.cer" 

the cn (common name) subject of certificate , host certificates must match computer's fqdn.

if want create host certificates other hosts local computer need set $cn name/fqdn of other computer. certificate , private key destination computer export both certificate store (<serial> serial number of certificate):

& certutil.exe -exportpfx -f -privatekey -p "password" "<serial>" computer.pfx 

copy computer.pfx computer generated certificate , import this:

& certutil.exe -importpfx -f -privatekey c:\path\to\computer.pfx 

you'll prompted password specified when exporting certificate.

on machines should use certificates signed testca need import testca.cer under trusted root certification authorities computer account.

& certutil.exe -f -addstore ca c:\path\to\testca.cer 

note makecert.exe isn't available separate download anymore, can windows sdk (download iso image , run sdk tools installer subfolder \setup\winsdktools).

note using makeshift ca strongly discouraged kind of production environment.