================================================================================
WILDCARD CERTIFICATE vs CERTIFICATE AUTHORITY - COMPARISON
================================================================================

QUICK ANSWER: CA approach is BETTER - more secure AND easier to use!

================================================================================
SIDE-BY-SIDE COMPARISON
================================================================================

┌──────────────────────────────────────────────────────────────────────────┐
│                       WILDCARD CERTIFICATE                                │
│                        (Current Approach)                                 │
└──────────────────────────────────────────────────────────────────────────┘

SETUP:
  1. Generate ONE wildcard certificate (*.logon.ds.ge.com)
  2. Deploy SAME certificate to all 175 PCs
  3. Each PC gets exact same cert with CN=*.logon.ds.ge.com

CONNECTING FROM YOUR COMPUTER:
  # Always need to skip certificate validation!
  $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck

  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 `
      -SessionOption $sessionOption  ← REQUIRED!

  Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
      -Credential $cred -UseSSL -Port 5986 `
      -SessionOption $sessionOption  ← REQUIRED!

ISSUES WE HIT:
  ✗ Certificate CN mismatch error (had to fix with wildcard hostname)
  ✗ Certificate not trusted (must bypass validation)
  ✗ Security warning every time
  ✗ Same cert on all PCs (if compromised, all PCs affected)

SECURITY LEVEL: ⚠ Medium
  - Certificate validation bypassed
  - Same certificate on all systems
  - No way to revoke for individual PC


┌──────────────────────────────────────────────────────────────────────────┐
│                     CERTIFICATE AUTHORITY                                 │
│                      (Recommended Approach)                               │
└──────────────────────────────────────────────────────────────────────────┘

SETUP:
  1. Generate ONE Certificate Authority
  2. Use CA to sign 175 INDIVIDUAL certificates (one per PC)
  3. Each PC gets its own cert with CN=hostname.logon.ds.ge.com
  4. Install CA public certificate on YOUR computer

CONNECTING FROM YOUR COMPUTER:
  # Clean and simple - no special options needed!

  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
  # That's it! No -SessionOption!

  Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
      -Credential $cred -UseSSL -Port 5986
  # That's it! No -SessionOption!

BENEFITS:
  ✓ No certificate CN mismatch (proper hostname in each cert)
  ✓ Certificate automatically trusted (CA is trusted)
  ✓ No security warnings
  ✓ Each PC has unique cert (compromised cert only affects one PC)
  ✓ Can revoke individual certificates

SECURITY LEVEL: ✓ High
  - Full certificate validation
  - Unique certificate per system
  - Individual certificate revocation possible

================================================================================
DETAILED COMPARISON TABLE
================================================================================

Feature                  Wildcard Cert         CA Approach
─────────────────────────────────────────────────────────────────────────────
Initial Setup Time       5 minutes            15 minutes
Certificates to Create   1                    175
Certificate on Each PC   Same                 Unique
Certificate Validation   Bypassed             Enforced
Security Warnings        Yes (always)         No
-SessionOption Required  YES                  NO
Connection Command       Long (with options)  Short (clean)
CN in Certificate        *.logon.ds.ge.com    hostname.logon.ds.ge.com
If One Cert Compromised  All 175 PCs at risk  Only 1 PC affected
Individual Revocation    Not possible         Possible
Professional Approach    No                   Yes
Enterprise Standard      No                   Yes
Recommended by Microsoft No                   Yes

================================================================================
WHAT YOU TYPE WHEN CONNECTING
================================================================================

WILDCARD APPROACH (Current):
────────────────────────────────────────────────────────────────────────────
PS> $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
PS> $cred = Get-Credential
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
        -Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption

WARNING: Certificate validation was bypassed!
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>


CA APPROACH (Recommended):
────────────────────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
        -Credential $cred -UseSSL -Port 5986

[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>


DIFFERENCE:
  - Wildcard: 4 lines, security bypass, warnings
  - CA:       2 lines, clean, secure

================================================================================
TIME INVESTMENT
================================================================================

WILDCARD CERTIFICATE:
────────────────────────────────────────────────────────────────────────────
One-time setup:       5 minutes   (generate wildcard cert)
Per PC deployment:    3 minutes   (copy and import same cert)
Total for 175 PCs:    ~9 hours    (5 min + 175 × 3 min)

Every connection:     Extra typing for -SessionOption
Every connection:     Security warnings


CERTIFICATE AUTHORITY:
────────────────────────────────────────────────────────────────────────────
One-time setup:       15 minutes  (create CA, sign 175 certs, install CA)
Per PC deployment:    3 minutes   (copy and import unique cert)
Total for 175 PCs:    ~9 hours    (15 min + 175 × 3 min)

Every connection:     Clean, simple
Every connection:     No security warnings


CONCLUSION: Same deployment time, but CA is cleaner to use forever!

================================================================================
SECURITY COMPARISON
================================================================================

SCENARIO: One certificate is compromised
────────────────────────────────────────────────────────────────────────────

WILDCARD APPROACH:
  ✗ ALL 175 PCs are compromised (same certificate)
  ✗ Must generate NEW wildcard certificate
  ✗ Must redeploy to ALL 175 PCs
  ✗ Major security incident

CA APPROACH:
  ✓ Only ONE PC is compromised (unique certificate)
  ✓ Revoke that one certificate
  ✓ Generate new certificate for that one PC
  ✓ Redeploy to only ONE PC
  ✓ Other 174 PCs unaffected
  ✓ Minor security incident


SCENARIO: Certificate expires
────────────────────────────────────────────────────────────────────────────

WILDCARD APPROACH:
  - Generate new wildcard certificate
  - Redeploy to ALL 175 PCs

CA APPROACH:
  - CA valid for 10 years
  - Sign 175 new certificates (5 minutes)
  - Redeploy to all 175 PCs
  - OR: Deploy in rolling fashion (25 PCs per month)


SCENARIO: Add 10 new PCs
────────────────────────────────────────────────────────────────────────────

WILDCARD APPROACH:
  - Deploy existing wildcard cert to 10 new PCs
  - Same cert as other 175 PCs

CA APPROACH:
  - Sign 10 new certificates (1 minute)
  - Deploy to 10 new PCs
  - Each PC gets unique certificate
  - Automatically trusted (CA already installed)

================================================================================
REAL-WORLD USAGE
================================================================================

SCENARIO: Daily remote management
────────────────────────────────────────────────────────────────────────────

WILDCARD APPROACH:
  Every single connection:

  $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
  Enter-PSSession -ComputerName HOSTNAME -Credential $cred -UseSSL `
      -Port 5986 -SessionOption $sessionOption

  Gets old fast!


CA APPROACH:
  Every single connection:

  Enter-PSSession -ComputerName HOSTNAME -Credential $cred -UseSSL -Port 5986

  Clean and simple!


SCENARIO: Scripting automation
────────────────────────────────────────────────────────────────────────────

WILDCARD APPROACH:
  Every script must include:

  $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
  Invoke-Command -ComputerName $computers -SessionOption $sessionOption ...


CA APPROACH:
  Clean script:

  Invoke-Command -ComputerName $computers -UseSSL -Port 5986 ...

  No special options needed!

================================================================================
CERTIFICATE INFORMATION
================================================================================

WILDCARD CERTIFICATE:
────────────────────────────────────────────────────────────────────────────
Subject:    CN=*.logon.ds.ge.com
Issuer:     CN=*.logon.ds.ge.com (self-signed)
Valid For:  *.logon.ds.ge.com (all subdomains)
Trusted By: Nobody (must bypass validation)
Used By:    All 175 PCs (same certificate)


CA-SIGNED CERTIFICATES:
────────────────────────────────────────────────────────────────────────────
Certificate Authority:
  Subject:  CN=Shopfloor WinRM CA
  Issuer:   CN=Shopfloor WinRM CA (self-signed)
  Trusted By: All management computers

Individual PC Certificate (example):
  Subject:  CN=g9kn7pz3esf.logon.ds.ge.com
  Issuer:   CN=Shopfloor WinRM CA
  Valid For: g9kn7pz3esf.logon.ds.ge.com (specific hostname)
  Trusted By: Any computer that trusts Shopfloor WinRM CA
  Used By:  Only G9KN7PZ3ESF (unique certificate)

================================================================================
MIGRATION PATH
================================================================================

If you already deployed wildcard certificates, you can migrate:

STEP 1: Create CA and sign certificates
  .\Create-CertificateAuthority.ps1
  .\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt

STEP 2: Install CA on management computers
  Import-Certificate -FilePath "CA.cer" -CertStoreLocation Cert:\LocalMachine\Root

STEP 3: Replace certificates on PCs (one at a time or in batches)
  - Import new CA-signed certificate
  - Reconfigure WinRM listener
  - Remove old wildcard certificate
  - Test connection

STEP 4: Clean up
  - Remove wildcard certificate from management computers
  - Update documentation
  - Securely store CA private key

================================================================================
RECOMMENDATION
================================================================================

RECOMMENDED: Certificate Authority Approach

WHY?
  1. MORE SECURE: Individual certificates, proper validation
  2. EASIER TO USE: No -SessionOption needed, cleaner commands
  3. ENTERPRISE STANDARD: Proper PKI infrastructure
  4. BETTER ISOLATION: Compromised cert only affects one PC
  5. SCALABLE: Easy to add new PCs
  6. PROFESSIONAL: Industry best practice

WHEN TO USE WILDCARD?
  - Quick testing only
  - Non-production environments
  - Temporary setups
  - When you're in a hurry and will fix it later

FOR PRODUCTION (175 PCs):
  ✓ Use Certificate Authority
  ✓ Sign individual certificates
  ✓ Proper certificate validation
  ✓ No security bypasses

================================================================================
SUMMARY
================================================================================

                           Wildcard    CA
──────────────────────────────────────────
Setup Complexity           Low         Medium
Long-term Usability        Poor        Excellent
Security                   Medium      High
Certificate Validation     Bypassed    Enforced
Connection Simplicity      Complex     Simple
Enterprise Ready           No          Yes
Recommended for 175 PCs    No          Yes

BOTTOM LINE:
  CA approach is slightly more setup work, but MUCH better for daily use
  and significantly more secure. For 175 production PCs, CA is the right choice.

================================================================================
NEXT STEPS
================================================================================

TO SWITCH TO CA APPROACH:

1. Read: CA-APPROACH-GUIDE.md (detailed walkthrough)
2. Run: .\Create-CertificateAuthority.ps1
3. Run: .\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt
4. Install CA on your management computer
5. Deploy individual certificates to PCs
6. Enjoy clean, secure connections!

TO CONTINUE WITH WILDCARD:

1. Re-run deployment with fixed wildcard script
2. Continue using -SessionOption for all connections
3. Accept security bypass warnings
4. Plan to migrate to CA later

================================================================================
