================================================================================ WILDCARD CERTIFICATE vs CERTIFICATE AUTHORITY - COMPARISON ================================================================================ QUICK ANSWER: CA approach is BETTER - more secure AND easier to use! ================================================================================ SIDE-BY-SIDE COMPARISON ================================================================================ ┌──────────────────────────────────────────────────────────────────────────┐ │ WILDCARD CERTIFICATE │ │ (Current Approach) │ └──────────────────────────────────────────────────────────────────────────┘ SETUP: 1. Generate ONE wildcard certificate (*.logon.ds.ge.com) 2. Deploy SAME certificate to all 175 PCs 3. Each PC gets exact same cert with CN=*.logon.ds.ge.com CONNECTING FROM YOUR COMPUTER: # Always need to skip certificate validation! $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 ` -SessionOption $sessionOption ← REQUIRED! Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 ` -SessionOption $sessionOption ← REQUIRED! ISSUES WE HIT: ✗ Certificate CN mismatch error (had to fix with wildcard hostname) ✗ Certificate not trusted (must bypass validation) ✗ Security warning every time ✗ Same cert on all PCs (if compromised, all PCs affected) SECURITY LEVEL: ⚠ Medium - Certificate validation bypassed - Same certificate on all systems - No way to revoke for individual PC ┌──────────────────────────────────────────────────────────────────────────┐ │ CERTIFICATE AUTHORITY │ │ (Recommended Approach) │ └──────────────────────────────────────────────────────────────────────────┘ SETUP: 1. Generate ONE Certificate Authority 2. Use CA to sign 175 INDIVIDUAL certificates (one per PC) 3. Each PC gets its own cert with CN=hostname.logon.ds.ge.com 4. Install CA public certificate on YOUR computer CONNECTING FROM YOUR COMPUTER: # Clean and simple - no special options needed! Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 # That's it! No -SessionOption! Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 # That's it! No -SessionOption! BENEFITS: ✓ No certificate CN mismatch (proper hostname in each cert) ✓ Certificate automatically trusted (CA is trusted) ✓ No security warnings ✓ Each PC has unique cert (compromised cert only affects one PC) ✓ Can revoke individual certificates SECURITY LEVEL: ✓ High - Full certificate validation - Unique certificate per system - Individual certificate revocation possible ================================================================================ DETAILED COMPARISON TABLE ================================================================================ Feature Wildcard Cert CA Approach ───────────────────────────────────────────────────────────────────────────── Initial Setup Time 5 minutes 15 minutes Certificates to Create 1 175 Certificate on Each PC Same Unique Certificate Validation Bypassed Enforced Security Warnings Yes (always) No -SessionOption Required YES NO Connection Command Long (with options) Short (clean) CN in Certificate *.logon.ds.ge.com hostname.logon.ds.ge.com If One Cert Compromised All 175 PCs at risk Only 1 PC affected Individual Revocation Not possible Possible Professional Approach No Yes Enterprise Standard No Yes Recommended by Microsoft No Yes ================================================================================ WHAT YOU TYPE WHEN CONNECTING ================================================================================ WILDCARD APPROACH (Current): ──────────────────────────────────────────────────────────────────────────── PS> $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck PS> $cred = Get-Credential PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption WARNING: Certificate validation was bypassed! [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> CA APPROACH (Recommended): ──────────────────────────────────────────────────────────────────────────── PS> $cred = Get-Credential PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 [g9kn7pz3esf.logon.ds.ge.com]: PS C:\> DIFFERENCE: - Wildcard: 4 lines, security bypass, warnings - CA: 2 lines, clean, secure ================================================================================ TIME INVESTMENT ================================================================================ WILDCARD CERTIFICATE: ──────────────────────────────────────────────────────────────────────────── One-time setup: 5 minutes (generate wildcard cert) Per PC deployment: 3 minutes (copy and import same cert) Total for 175 PCs: ~9 hours (5 min + 175 × 3 min) Every connection: Extra typing for -SessionOption Every connection: Security warnings CERTIFICATE AUTHORITY: ──────────────────────────────────────────────────────────────────────────── One-time setup: 15 minutes (create CA, sign 175 certs, install CA) Per PC deployment: 3 minutes (copy and import unique cert) Total for 175 PCs: ~9 hours (15 min + 175 × 3 min) Every connection: Clean, simple Every connection: No security warnings CONCLUSION: Same deployment time, but CA is cleaner to use forever! ================================================================================ SECURITY COMPARISON ================================================================================ SCENARIO: One certificate is compromised ──────────────────────────────────────────────────────────────────────────── WILDCARD APPROACH: ✗ ALL 175 PCs are compromised (same certificate) ✗ Must generate NEW wildcard certificate ✗ Must redeploy to ALL 175 PCs ✗ Major security incident CA APPROACH: ✓ Only ONE PC is compromised (unique certificate) ✓ Revoke that one certificate ✓ Generate new certificate for that one PC ✓ Redeploy to only ONE PC ✓ Other 174 PCs unaffected ✓ Minor security incident SCENARIO: Certificate expires ──────────────────────────────────────────────────────────────────────────── WILDCARD APPROACH: - Generate new wildcard certificate - Redeploy to ALL 175 PCs CA APPROACH: - CA valid for 10 years - Sign 175 new certificates (5 minutes) - Redeploy to all 175 PCs - OR: Deploy in rolling fashion (25 PCs per month) SCENARIO: Add 10 new PCs ──────────────────────────────────────────────────────────────────────────── WILDCARD APPROACH: - Deploy existing wildcard cert to 10 new PCs - Same cert as other 175 PCs CA APPROACH: - Sign 10 new certificates (1 minute) - Deploy to 10 new PCs - Each PC gets unique certificate - Automatically trusted (CA already installed) ================================================================================ REAL-WORLD USAGE ================================================================================ SCENARIO: Daily remote management ──────────────────────────────────────────────────────────────────────────── WILDCARD APPROACH: Every single connection: $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName HOSTNAME -Credential $cred -UseSSL ` -Port 5986 -SessionOption $sessionOption Gets old fast! CA APPROACH: Every single connection: Enter-PSSession -ComputerName HOSTNAME -Credential $cred -UseSSL -Port 5986 Clean and simple! SCENARIO: Scripting automation ──────────────────────────────────────────────────────────────────────────── WILDCARD APPROACH: Every script must include: $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck Invoke-Command -ComputerName $computers -SessionOption $sessionOption ... CA APPROACH: Clean script: Invoke-Command -ComputerName $computers -UseSSL -Port 5986 ... No special options needed! ================================================================================ CERTIFICATE INFORMATION ================================================================================ WILDCARD CERTIFICATE: ──────────────────────────────────────────────────────────────────────────── Subject: CN=*.logon.ds.ge.com Issuer: CN=*.logon.ds.ge.com (self-signed) Valid For: *.logon.ds.ge.com (all subdomains) Trusted By: Nobody (must bypass validation) Used By: All 175 PCs (same certificate) CA-SIGNED CERTIFICATES: ──────────────────────────────────────────────────────────────────────────── Certificate Authority: Subject: CN=Shopfloor WinRM CA Issuer: CN=Shopfloor WinRM CA (self-signed) Trusted By: All management computers Individual PC Certificate (example): Subject: CN=g9kn7pz3esf.logon.ds.ge.com Issuer: CN=Shopfloor WinRM CA Valid For: g9kn7pz3esf.logon.ds.ge.com (specific hostname) Trusted By: Any computer that trusts Shopfloor WinRM CA Used By: Only G9KN7PZ3ESF (unique certificate) ================================================================================ MIGRATION PATH ================================================================================ If you already deployed wildcard certificates, you can migrate: STEP 1: Create CA and sign certificates .\Create-CertificateAuthority.ps1 .\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt STEP 2: Install CA on management computers Import-Certificate -FilePath "CA.cer" -CertStoreLocation Cert:\LocalMachine\Root STEP 3: Replace certificates on PCs (one at a time or in batches) - Import new CA-signed certificate - Reconfigure WinRM listener - Remove old wildcard certificate - Test connection STEP 4: Clean up - Remove wildcard certificate from management computers - Update documentation - Securely store CA private key ================================================================================ RECOMMENDATION ================================================================================ RECOMMENDED: Certificate Authority Approach WHY? 1. MORE SECURE: Individual certificates, proper validation 2. EASIER TO USE: No -SessionOption needed, cleaner commands 3. ENTERPRISE STANDARD: Proper PKI infrastructure 4. BETTER ISOLATION: Compromised cert only affects one PC 5. SCALABLE: Easy to add new PCs 6. PROFESSIONAL: Industry best practice WHEN TO USE WILDCARD? - Quick testing only - Non-production environments - Temporary setups - When you're in a hurry and will fix it later FOR PRODUCTION (175 PCs): ✓ Use Certificate Authority ✓ Sign individual certificates ✓ Proper certificate validation ✓ No security bypasses ================================================================================ SUMMARY ================================================================================ Wildcard CA ────────────────────────────────────────── Setup Complexity Low Medium Long-term Usability Poor Excellent Security Medium High Certificate Validation Bypassed Enforced Connection Simplicity Complex Simple Enterprise Ready No Yes Recommended for 175 PCs No Yes BOTTOM LINE: CA approach is slightly more setup work, but MUCH better for daily use and significantly more secure. For 175 production PCs, CA is the right choice. ================================================================================ NEXT STEPS ================================================================================ TO SWITCH TO CA APPROACH: 1. Read: CA-APPROACH-GUIDE.md (detailed walkthrough) 2. Run: .\Create-CertificateAuthority.ps1 3. Run: .\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt 4. Install CA on your management computer 5. Deploy individual certificates to PCs 6. Enjoy clean, secure connections! TO CONTINUE WITH WILDCARD: 1. Re-run deployment with fixed wildcard script 2. Continue using -SessionOption for all connections 3. Accept security bypass warnings 4. Plan to migrate to CA later ================================================================================