================================================================================
AFTER RUNNING BULK CERTIFICATE SIGNING - WHAT'S NEXT?
================================================================================

You just ran: .\Sign-BulkCertificates.ps1

Now you have 175 individual certificates ready to deploy!

================================================================================
WHAT YOU HAVE NOW
================================================================================

Folder created: pc-certificates\batch-YYYYMMDD-HHMMSS\

Inside this folder:
  - 175 PFX files (one per PC)
    Example: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx

  - 175 CER files (public certificates)
    Example: G9KN7PZ3ESF-logon.ds.ge.com-20251017.cer

  - certificate-list.csv (spreadsheet of all certificates)
  - SUMMARY.txt (summary report)

================================================================================
NEXT STEP: DEPLOY TO ONE PC (TEST FIRST!)
================================================================================

Test on: G9KN7PZ3ESF

STEP 1: Copy Certificate to the PC
-----------------------------------
From YOUR computer (H2PRFM94):

  # Navigate to the certificate folder
  cd pc-certificates\batch-*

  # Copy to the test PC
  Copy-Item "G9KN7PZ3ESF-logon.ds.ge.com-*.pfx" `
      -Destination "\\G9KN7PZ3ESF\C$\Temp\"

If that doesn't work (network path issue):
  - Copy the file to a USB drive
  - Or use network share location
  - Or RDP to the PC and copy directly


STEP 2: Import Certificate on the PC
-------------------------------------
ON THE PC (G9KN7PZ3ESF), in PowerShell as Administrator:

  # Import the certificate
  $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force

  $cert = Import-PfxCertificate `
      -FilePath "C:\Temp\G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" `
      -CertStoreLocation Cert:\LocalMachine\My `
      -Password $certPass

  # Show the certificate (verify it worked)
  $cert | Format-List Subject, Issuer, Thumbprint, NotAfter

You should see:
  Subject:     CN=g9kn7pz3esf.logon.ds.ge.com
  Issuer:      CN=Shopfloor WinRM CA
  Thumbprint:  (long string)
  NotAfter:    (expiration date)


STEP 3: Configure WinRM HTTPS
------------------------------
Still ON THE PC (G9KN7PZ3ESF):

Option A - If you have Setup-WinRM-HTTPS.ps1 on the PC:

  .\Setup-WinRM-HTTPS.ps1 `
      -CertificateThumbprint $cert.Thumbprint `
      -Domain "logon.ds.ge.com"

Option B - Manual configuration (if no script):

  # Enable WinRM
  Enable-PSRemoting -Force -SkipNetworkProfileCheck

  # Remove old HTTPS listener (if exists)
  winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

  # Create HTTPS listener with the certificate
  $hostname = "g9kn7pz3esf.logon.ds.ge.com"

  winrm create winrm/config/Listener?Address=*+Transport=HTTPS `
      "@{Hostname=`"$hostname`";CertificateThumbprint=`"$($cert.Thumbprint)`";Port=`"5986`"}"

  # Create firewall rule
  New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
      -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow


STEP 4: Verify Configuration on the PC
---------------------------------------
Still ON THE PC (G9KN7PZ3ESF):

  # Check WinRM service
  Get-Service WinRM
  # Should show: Running

  # Check listeners
  winrm enumerate winrm/config/listener
  # Should show HTTPS listener on port 5986
  # Hostname should be: g9kn7pz3esf.logon.ds.ge.com

  # Check port
  netstat -an | findstr :5986
  # Should show: 0.0.0.0:5986 LISTENING

  # Check firewall
  Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
  # Should show: Enabled = True

If any of these fail, run Test-RemotePC-Debug.bat on the PC!


STEP 5: Test Connection from YOUR Computer
-------------------------------------------
Back on YOUR computer (H2PRFM94):

  # Test basic connectivity
  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986

  Expected output:
    wsmid           : http://schemas.dmtf.org/...
    ProtocolVersion : http://schemas.dmtf.org/...
    ProductVendor   : Microsoft Corporation
    ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

  ✅ SUCCESS! No certificate errors!

  # Test interactive session
  $cred = Get-Credential

  Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
      -Credential $cred -UseSSL -Port 5986

  Expected result:
    [g9kn7pz3esf.logon.ds.ge.com]: PS C:\>

  ✅ You're now connected to the remote PC!

  # Try some commands:
  hostname
  Get-Service WinRM
  Exit-PSSession


================================================================================
IF TEST PC WORKS - DEPLOY TO MORE PCs
================================================================================

Deploy to 3-5 more PCs for additional testing:
  - G1JJVH63ESF
  - G1JJXH63ESF
  - G1JKYH63ESF
  - etc.

For each PC, repeat Steps 1-5 above.


================================================================================
BULK DEPLOYMENT TO ALL 175 PCs
================================================================================

Once 5+ PCs are working successfully, deploy to all remaining PCs.

Option A - Manual Deployment (Safe but slow):
  - Deploy 10-20 PCs at a time
  - Verify each batch works before continuing
  - Track progress in a spreadsheet

Option B - Automated Deployment (Faster):

  Create a deployment script:

  $pcs = Get-Content "shopfloor-hostnames.txt"
  $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force

  foreach ($pc in $pcs) {
      $fqdn = "$pc.logon.ds.ge.com"
      Write-Host "Deploying to $pc..." -ForegroundColor Yellow

      try {
          # Copy certificate
          $certFile = Get-ChildItem "pc-certificates\batch-*\$pc-*.pfx"
          Copy-Item $certFile.FullName -Destination "\\$fqdn\C$\Temp\"

          # Import and configure remotely
          Invoke-Command -ComputerName $fqdn -ScriptBlock {
              param($certPath, $certPassword)

              $pass = ConvertTo-SecureString $certPassword -AsPlainText -Force
              $cert = Import-PfxCertificate -FilePath $certPath `
                  -CertStoreLocation Cert:\LocalMachine\My -Password $pass

              # Configure WinRM (add WinRM configuration commands here)

          } -ArgumentList "C:\Temp\$($certFile.Name)", "PCCert2025!"

          Write-Host "  [OK] $pc deployed successfully" -ForegroundColor Green

      } catch {
          Write-Host "  [ERROR] $pc failed: $($_.Exception.Message)" -ForegroundColor Red
      }
  }

Note: You'd need to adapt this for your environment.


================================================================================
TRACKING DEPLOYMENT
================================================================================

Create a tracking spreadsheet with columns:
  - Hostname
  - Certificate Deployed (Yes/No/Date)
  - WinRM Configured (Yes/No/Date)
  - Connection Tested (Yes/No/Date)
  - Notes

Use the certificate-list.csv as a starting point!


================================================================================
TROUBLESHOOTING
================================================================================

If a PC won't connect:

1. Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to that PC
2. Right-click Test-RemotePC-Debug.bat, "Run as Administrator"
3. Review the output to find the issue

Common problems:
  ❌ Port 5986 not listening → WinRM listener not created
  ❌ Certificate not found → Certificate not imported
  ❌ Firewall blocking → Firewall rule missing
  ❌ Wrong hostname in cert → Used wrong PFX file


================================================================================
VERIFICATION CHECKLIST
================================================================================

For each deployed PC, verify:

  ✓ Certificate imported (Cert:\LocalMachine\My)
  ✓ Certificate issued by "Shopfloor WinRM CA"
  ✓ WinRM service running
  ✓ HTTPS listener on port 5986
  ✓ Listener hostname matches PC FQDN
  ✓ Firewall rule enabled
  ✓ Port 5986 listening
  ✓ Can connect from management computer
  ✓ No certificate warnings


================================================================================
FINAL RESULT
================================================================================

After deploying all 175 PCs, you can connect to ANY of them with:

  $cred = Get-Credential
  Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com `
      -Credential $cred -UseSSL -Port 5986

Clean, secure, no certificate bypasses!

Run commands on multiple PCs:

  $computers = @("g9kn7pz3esf", "g1jjvh63esf", "g1jjxh63esf")

  Invoke-Command -ComputerName ($computers | ForEach-Object {"$_.logon.ds.ge.com"}) `
      -Credential $cred -UseSSL -Port 5986 `
      -ScriptBlock {
          Get-Service WinRM | Select-Object Name, Status
      }

Collect data from all 175 PCs in seconds!


================================================================================
SUMMARY
================================================================================

Next Steps After Bulk Signing:

1. ✅ Deploy to ONE PC (G9KN7PZ3ESF) - TEST FIRST
2. ✅ Verify connection works
3. ✅ Deploy to 3-5 more PCs
4. ✅ Deploy to remaining PCs in batches
5. ✅ Track progress
6. ✅ Verify all deployments
7. ✅ Celebrate! 🎉

================================================================================
NEED HELP?
================================================================================

- Certificate issues → Run Test-RemotePC-Debug.bat on the PC
- Connection issues → Check firewall, WinRM service, listener
- Can't copy files → Check network paths, permissions
- General questions → Review README.txt

All scripts and documentation are in /home/camp/winrm-ca-scripts/

================================================================================