# Certificate Authority Approach - Complete Workflow ## Overview Instead of using a wildcard certificate, you create a **Certificate Authority (CA)** and use it to sign individual certificates for each PC. This is more secure and proper. --- ## The Complete Picture ``` ┌─────────────────────────────────────────────────────────────────┐ │ ONE-TIME CA SETUP │ └─────────────────────────────────────────────────────────────────┘ 1. CREATE CERTIFICATE AUTHORITY (Do Once) ┌────────────────────────────────────┐ │ Run on secure admin computer: │ │ .\Create-CertificateAuthority.ps1 │ └────────────────────────────────────┘ │ ├─► Creates: Shopfloor-WinRM-CA-20251017.pfx (PRIVATE KEY - KEEP SECURE!) └─► Creates: Shopfloor-WinRM-CA-20251017.cer (PUBLIC CERT - DISTRIBUTE) 2. SIGN CERTIFICATES FOR ALL 175 PCs (Do Once) ┌────────────────────────────────────────────────────────────┐ │ Run on secure admin computer: │ │ .\Sign-BulkPCCertificates.ps1 \ │ │ -HostnameFile shopfloor-hostnames.txt \ │ │ -CAPfxPath "Shopfloor-WinRM-CA-20251017.pfx" │ └────────────────────────────────────────────────────────────┘ │ ├─► Creates: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx ├─► Creates: G1JJVH63ESF-logon.ds.ge.com-20251017.pfx ├─► Creates: G1JJXH63ESF-logon.ds.ge.com-20251017.pfx └─► Creates: ... (175 individual certificates) 3. INSTALL CA ON YOUR MANAGEMENT COMPUTER (Do Once Per Computer) ┌────────────────────────────────────────────────────────────┐ │ Run on YOUR computer (H2PRFM94): │ │ Import-Certificate \ │ │ -FilePath "Shopfloor-WinRM-CA-20251017.cer" \ │ │ -CertStoreLocation Cert:\LocalMachine\Root │ └────────────────────────────────────────────────────────────┘ │ └─► YOUR computer now trusts ALL certificates signed by this CA! ┌─────────────────────────────────────────────────────────────────┐ │ DEPLOY TO EACH SHOPFLOOR PC │ └─────────────────────────────────────────────────────────────────┘ 4. DEPLOY TO EACH PC (Do for Each of 175 PCs) PC: G9KN7PZ3ESF ┌────────────────────────────────────────────────────────────┐ │ Copy to PC: │ │ G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx │ │ │ │ Import on PC: │ │ Import-PfxCertificate \ │ │ -FilePath "G9KN7PZ3ESF-logon.ds.ge.com.pfx" \ │ │ -CertStoreLocation Cert:\LocalMachine\My \ │ │ -Password $pass │ │ │ │ Configure WinRM: │ │ .\Setup-WinRM-HTTPS.ps1 \ │ │ -CertificateThumbprint "ABC123..." \ │ │ -Domain "logon.ds.ge.com" │ └────────────────────────────────────────────────────────────┘ │ └─► PC has certificate: CN=g9kn7pz3esf.logon.ds.ge.com Signed by: Shopfloor WinRM CA ┌─────────────────────────────────────────────────────────────────┐ │ CONNECTING FROM YOUR COMPUTER │ └─────────────────────────────────────────────────────────────────┘ 5. CONNECT FROM YOUR COMPUTER (No Special Options Needed!) ┌────────────────────────────────────────────────────────────┐ │ On YOUR computer (H2PRFM94): │ │ │ │ # No -SessionOption needed! │ │ Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com \ │ │ -UseSSL -Port 5986 │ │ │ │ # Interactive session - just works! │ │ $cred = Get-Credential │ │ Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com\│ │ -Credential $cred -UseSSL -Port 5986 │ └────────────────────────────────────────────────────────────┘ │ └─► WORKS! No certificate errors! Why? Because YOUR computer trusts the CA, and the PC's certificate is signed by that CA. ``` --- ## Why This Works ### Without CA (Current Wildcard Approach): ``` Your Computer Remote PC │ │ ├─ Tries to connect ────────────────►│ │ │ │◄─── Presents certificate ───────────┤ │ CN=*.logon.ds.ge.com │ │ Self-signed (untrusted) │ │ │ ├─ ❌ ERROR: Untrusted certificate │ │ │ └─ Must use -SessionOption to skip validation ``` ### With CA (New Approach): ``` Your Computer Remote PC │ │ │ Has CA installed │ Has individual cert │ Trusts: Shopfloor WinRM CA │ CN=g9kn7pz3esf.logon.ds.ge.com │ │ Signed by: Shopfloor WinRM CA │ │ ├─ Tries to connect ────────────────►│ │ │ │◄─── Presents certificate ───────────┤ │ CN=g9kn7pz3esf.logon.ds.ge.com │ │ Signed by: Shopfloor WinRM CA │ │ │ ├─ Checks issuer: Shopfloor WinRM CA │ ├─ Do I trust this issuer? │ ├─ YES! (CA is in Trusted Root) │ ├─ ✓ Certificate trusted │ │ │ └─ Connection succeeds! ◄─────────────┘ No -SessionOption needed! ``` --- ## Step-by-Step: What You'll Do ### PHASE 1: Setup (One Time) #### Step 1: Create the CA (5 minutes) ```powershell # On your secure admin computer .\Create-CertificateAuthority.ps1 # Prompts for CA password # Creates: # Shopfloor-WinRM-CA-20251017.pfx (KEEP SECURE!) # Shopfloor-WinRM-CA-20251017.cer (Install on management PCs) ``` **Files created:** - `Shopfloor-WinRM-CA-20251017.pfx` - CA private key (SECURE THIS!) - `Shopfloor-WinRM-CA-20251017.cer` - CA public certificate (distribute to management PCs) --- #### Step 2: Sign All 175 PC Certificates (10 minutes) ```powershell # On your secure admin computer $caPass = ConvertTo-SecureString "YourCAPassword" -AsPlainText -Force $certPass = ConvertTo-SecureString "PCCertPassword123" -AsPlainText -Force .\Sign-BulkPCCertificates.ps1 ` -HostnameFile shopfloor-hostnames.txt ` -CAPfxPath "Shopfloor-WinRM-CA-20251017.pfx" ` -CAPassword $caPass ` -CertificatePassword $certPass ` -Domain "logon.ds.ge.com" ``` **Files created:** - `G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx` - `G1JJVH63ESF-logon.ds.ge.com-20251017.pfx` - `G1JJXH63ESF-logon.ds.ge.com-20251017.pfx` - ... (175 total, one per PC) --- #### Step 3: Install CA on Your Computer (2 minutes) ```powershell # On YOUR computer (H2PRFM94) - Run as Administrator Import-Certificate ` -FilePath "C:\path\to\Shopfloor-WinRM-CA-20251017.cer" ` -CertStoreLocation Cert:\LocalMachine\Root ``` **Result:** Your computer now trusts ALL certificates signed by this CA. --- ### PHASE 2: Deploy to PCs (Repeat for Each PC) #### Step 4: Deploy to First PC (Test) ```powershell # Copy certificate to PC Copy-Item "G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" ` -Destination "\\G9KN7PZ3ESF\C$\Temp\" # On the PC (G9KN7PZ3ESF), run as Administrator: $certPass = ConvertTo-SecureString "PCCertPassword123" -AsPlainText -Force $cert = Import-PfxCertificate ` -FilePath "C:\Temp\G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" ` -CertStoreLocation Cert:\LocalMachine\My ` -Password $certPass # Configure WinRM with this certificate .\Setup-WinRM-HTTPS.ps1 ` -CertificateThumbprint $cert.Thumbprint ` -Domain "logon.ds.ge.com" ``` --- ### PHASE 3: Test Connection #### Step 5: Connect from Your Computer ```powershell # On YOUR computer (H2PRFM94) # Test basic connectivity - NO -SessionOption needed! Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 # ✓ Works! No certificate errors! # Get credentials $cred = Get-Credential # Interactive session - NO -SessionOption needed! Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 # ✓ Connected! No certificate warnings! # Run remote command Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 ` -ScriptBlock { hostname } # Returns: G9KN7PZ3ESF ``` **The key difference:** No more `-SessionOption $sessionOption`! The certificates are properly trusted. --- ## Comparison: Before vs After ### Before (Wildcard Certificate): ```powershell # Had to skip certificate validation $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck # Every connection needed this: Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 ` -SessionOption $sessionOption # ← Required! ``` **Problems:** - ❌ Certificate validation bypassed (insecure) - ❌ Same certificate on all 175 PCs - ❌ If compromised, affects all PCs - ❌ Certificate CN mismatch errors --- ### After (CA-Signed Individual Certificates): ```powershell # Clean, simple connection Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 # That's it! No -SessionOption needed! ``` **Benefits:** - ✅ Proper certificate validation (secure) - ✅ Each PC has its own certificate - ✅ If one compromised, only affects one PC - ✅ Proper hostname in certificate (no CN mismatch) - ✅ Easy to revoke individual certificates - ✅ Professional enterprise approach --- ## What Gets Deployed Where ### Your Management Computer (H2PRFM94): ``` Cert:\LocalMachine\Root\ └─ Shopfloor WinRM CA ← CA public certificate ONLY (No private key) ``` ### Each Shopfloor PC: ``` Cert:\LocalMachine\My\ └─ CN=g9kn7pz3esf.logon.ds.ge.com ← Individual certificate Issued by: Shopfloor WinRM CA (Has private key for this PC only) ``` ### Secure Admin Computer (Where You Create Certs): ``` Shopfloor-WinRM-CA-20251017.pfx ← CA PRIVATE KEY (SECURE!) G9KN7PZ3ESF-logon.ds.ge.com.pfx ← PC certificates (175 files) G1JJVH63ESF-logon.ds.ge.com.pfx ... (175 total) ``` --- ## Security Advantages ### Wildcard Certificate Approach: ``` One certificate compromised = All 175 PCs compromised Must revoke and redeploy to ALL PCs ``` ### CA Approach: ``` One certificate compromised = Only that PC compromised Revoke individual certificate Only redeploy to that one PC Other 174 PCs unaffected ``` --- ## Real-World Example ### Your First Connection: 1. **Install CA on your computer** (one time): ```powershell Import-Certificate -FilePath "Shopfloor-WinRM-CA.cer" ` -CertStoreLocation Cert:\LocalMachine\Root ``` 2. **Deploy certificate to G9KN7PZ3ESF** (one time per PC): ```powershell # Copy and import certificate on the PC # Configure WinRM ``` 3. **Connect from your computer** (anytime): ```powershell # Simple, clean, secure $cred = Get-Credential Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 ``` 4. **Result**: ``` [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> ``` **No certificate errors! It just works!** --- ## Certificate Chain Verification When you connect, Windows automatically validates: ``` 1. PC presents certificate: CN=g9kn7pz3esf.logon.ds.ge.com ↓ 2. Check issuer: Shopfloor WinRM CA ↓ 3. Is "Shopfloor WinRM CA" in Trusted Root? ↓ 4. YES! Found in Cert:\LocalMachine\Root ↓ 5. ✓ Certificate trusted ↓ 6. ✓ Connection allowed ``` --- ## Summary: What Changes for You ### Current Workflow (Wildcard): 1. Connect to PC 2. Get certificate error 3. Use `-SessionOption` to bypass validation 4. Warning: Certificate not validated ### New Workflow (CA): 1. Connect to PC 2. Certificate automatically validated 3. Connection succeeds 4. No warnings, fully secure **It's actually EASIER and MORE SECURE!** --- ## Quick Start Commands ```powershell # 1. Create CA (one time) .\Create-CertificateAuthority.ps1 # 2. Sign all PC certificates (one time) .\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt # 3. Install CA on your computer (one time) Import-Certificate -FilePath "CA.cer" -CertStoreLocation Cert:\LocalMachine\Root # 4. Deploy to PCs (repeat for each) # (Copy PFX, import, configure WinRM) # 5. Connect (anytime) - SIMPLE! $cred = Get-Credential Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986 ``` --- ## Questions? **Q: Do I need to install anything on each PC besides its own certificate?** A: No! Each PC only gets its own certificate. The CA certificate is only installed on management computers. **Q: What if I add more PCs later?** A: Use `Sign-PCCertificate.ps1` to sign a certificate for the new PC. Any computer that trusts the CA will automatically trust the new certificate. **Q: Can multiple people manage these PCs?** A: Yes! Install the CA certificate on each management computer. All will trust the PC certificates. **Q: What happens when certificates expire (2 years)?** A: Sign new certificates using the same CA. The CA is valid for 10 years. **Q: Is this really better than the wildcard certificate?** A: YES! It's more secure, more professional, and actually easier to use because you don't need `-SessionOption` anymore. --- **Bottom line:** You'll have cleaner, simpler, more secure connections with NO certificate warnings or bypasses!