================================================================================
START HERE - WinRM HTTPS Certificate Authority Setup
================================================================================

Location: /tmp/winrm-ca-scripts/

All files have been created and are ready to use!

================================================================================
COPY THESE FILES TO YOUR WINDOWS COMPUTER
================================================================================

Copy ALL files in /tmp/winrm-ca-scripts/ to:
  C:\users\570005354\Downloads\winrm-ca-scripts\

Files to copy:
  1. Create-CA-Simple.ps1           - Creates Certificate Authority
  2. Sign-BulkCertificates.ps1      - Signs 175 PC certificates
  3. Test-RemotePC-Debug.ps1        - Debug script for remote PCs
  4. Test-RemotePC-Debug.bat        - Batch wrapper for debug script
  5. shopfloor-hostnames.txt        - List of 175 PC hostnames
  6. README.txt                     - Full instructions
  7. START-HERE.txt                 - This file

================================================================================
STEP-BY-STEP INSTRUCTIONS
================================================================================

STEP 1: Copy Files to Windows
------------------------------
From Linux terminal:

  # If you have direct access to Windows filesystem:
  cp -r /tmp/winrm-ca-scripts /mnt/c/users/570005354/Downloads/

  # OR use WinSCP, scp, or any file transfer method


STEP 2: Create Certificate Authority
-------------------------------------
On Windows, in PowerShell as Administrator:

  cd C:\users\570005354\Downloads\winrm-ca-scripts
  .\Create-CA-Simple.ps1

Enter password when prompted: ShopfloorCA2025!

This creates:
  - Shopfloor-WinRM-CA-YYYYMMDD.pfx  (CA private key)
  - Shopfloor-WinRM-CA-YYYYMMDD.cer  (CA public cert)


STEP 3: Install CA on Your Computer
------------------------------------
Still in PowerShell as Administrator:

  Import-Certificate -FilePath "Shopfloor-WinRM-CA-YYYYMMDD.cer" `
      -CertStoreLocation Cert:\LocalMachine\Root

Replace YYYYMMDD with the actual date from Step 2.


STEP 4: Sign All 175 PC Certificates
-------------------------------------
Still in PowerShell as Administrator:

  $caPass = ConvertTo-SecureString "ShopfloorCA2025!" -AsPlainText -Force
  $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force

  .\Sign-BulkCertificates.ps1 `
      -HostnameFile "shopfloor-hostnames.txt" `
      -CAPfxPath "Shopfloor-WinRM-CA-YYYYMMDD.pfx" `
      -CAPassword $caPass `
      -CertificatePassword $certPass

This creates pc-certificates/batch-TIMESTAMP/ folder with 175 certificates.


STEP 5: Test on ONE PC First
-----------------------------
Deploy to G9KN7PZ3ESF for testing:

A. Copy certificate to PC:
   Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
       -Destination "\\G9KN7PZ3ESF\C$\Temp\"

B. On G9KN7PZ3ESF, import certificate:
   $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
   $cert = Import-PfxCertificate `
       -FilePath "C:\Temp\G9KN7PZ3ESF-*.pfx" `
       -CertStoreLocation Cert:\LocalMachine\My `
       -Password $certPass

C. Configure WinRM (if Setup-WinRM-HTTPS.ps1 is available):
   .\Setup-WinRM-HTTPS.ps1 -CertificateThumbprint $cert.Thumbprint -Domain "logon.ds.ge.com"


STEP 6: Test Connection
------------------------
From YOUR computer:

  Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986

  $cred = Get-Credential
  Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
      -Credential $cred -UseSSL -Port 5986

SUCCESS! No -SessionOption needed!


STEP 7: Deploy to Remaining PCs
--------------------------------
Repeat Step 5 for each of the remaining 174 PCs.

Or create an automated deployment script (ask for help if needed).


================================================================================
TROUBLESHOOTING
================================================================================

If Remote PC Has Issues:
  1. Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to the PC
  2. Right-click Test-RemotePC-Debug.bat and "Run as Administrator"
  3. Review the output to see what's wrong

Common Issues:
  - Port 5986 not listening → WinRM listener not configured
  - Certificate not found → Certificate not imported
  - Firewall blocking → Firewall rule missing

================================================================================
WHAT YOU GET
================================================================================

BEFORE (Wildcard with bypasses):
  $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
  Enter-PSSession -ComputerName PC -Credential $cred -UseSSL -SessionOption $sessionOption
  ⚠️ Certificate warnings, security bypasses

AFTER (CA with proper certs):
  Enter-PSSession -ComputerName PC -Credential $cred -UseSSL -Port 5986
  ✅ Clean, secure, no warnings!

================================================================================
NEED HELP?
================================================================================

Read README.txt for full instructions.

All scripts are ready to use - just copy to Windows and run!

================================================================================