================================================================================ WILDCARD CERTIFICATE FIX - IMPORTANT TECHNICAL DETAIL ================================================================================ Date: 2025-10-17 Issue: Certificate CN mismatch error during HTTPS listener creation ================================================================================ PROBLEM ================================================================================ When deploying WinRM HTTPS with wildcard certificate, received error: "The WinRM client cannot process the request. The certificate CN and the hostname that were provided do not match." Error Number: -2144108311 (0x803380E9) ================================================================================ ROOT CAUSE ================================================================================ WinRM HTTPS listener creation requires the hostname parameter to EXACTLY match the certificate's Common Name (CN). Certificate Details: - Subject: CN=*.logon.ds.ge.com - CN: *.logon.ds.ge.com (wildcard format) Previous (Incorrect) Approach: - Passed specific PC FQDN to listener: g9kn7pz3esf.logon.ds.ge.com - WinRM compared: "*.logon.ds.ge.com" (cert CN) vs "g9kn7pz3esf.logon.ds.ge.com" (hostname) - Result: MISMATCH → Error ================================================================================ SOLUTION ================================================================================ The listener hostname parameter must use the EXACT CN from the certificate, which is the wildcard format: *.logon.ds.ge.com Fixed Code (Setup-WinRM-HTTPS.ps1): # Extract the CN value from certificate subject if ($certSubject -match 'CN=([^,]+)') { $certCN = $matches[1] # This captures "*.logon.ds.ge.com" } # Use the certificate CN (wildcard) for listener hostname $listenerHostname = $certCN # "*.logon.ds.ge.com" # Create listener with wildcard hostname winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="*.logon.ds.ge.com";CertificateThumbprint="...";Port="5986"} ================================================================================ HOW IT WORKS ================================================================================ Listener Configuration: - Listener Hostname: *.logon.ds.ge.com (wildcard) - Certificate CN: *.logon.ds.ge.com (wildcard) - Match: ✓ SUCCESS Client Connection: - Clients still connect using specific FQDN: g9kn7pz3esf.logon.ds.ge.com - WinRM matches this against the wildcard: *.logon.ds.ge.com - Certificate validation succeeds because wildcard covers all subdomains Example: # Client connects using specific hostname Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 # Server listener accepts because: # - Listener hostname: *.logon.ds.ge.com # - Client hostname: g9kn7pz3esf.logon.ds.ge.com # - Wildcard match: ✓ (g9kn7pz3esf matches *) ================================================================================ TECHNICAL DETAILS ================================================================================ WinRM Listener Hostname Validation: 1. WinRM creates listener with hostname="*.logon.ds.ge.com" 2. Certificate CN must match listener hostname EXACTLY 3. Wildcard CN "*.logon.ds.ge.com" = Listener hostname "*.logon.ds.ge.com" ✓ 4. Listener accepts connections from any hostname matching *.logon.ds.ge.com Certificate Validation During Connection: 1. Client connects to: g9kn7pz3esf.logon.ds.ge.com:5986 2. Server presents certificate with CN: *.logon.ds.ge.com 3. Client validates: Does "g9kn7pz3esf.logon.ds.ge.com" match "*.logon.ds.ge.com"? 4. Wildcard validation: ✓ YES (wildcard * matches "g9kn7pz3esf") 5. Connection succeeds ================================================================================ WHAT CHANGED IN THE SCRIPT ================================================================================ File: Setup-WinRM-HTTPS.ps1 Function: New-WinRMHTTPSListener Changes: 1. Extract certificate CN from Subject field 2. Use certificate CN (wildcard) as listener hostname 3. Added logging to show both FQDN and listener hostname 4. Added explanatory notes in output Before: $winrmArgs = "create ... @{Hostname=`"$Hostname`";..." # Where $Hostname = "g9kn7pz3esf.logon.ds.ge.com" After: $listenerHostname = $certCN # "*.logon.ds.ge.com" $winrmArgs = "create ... @{Hostname=`"$listenerHostname`";..." ================================================================================ TESTING THE FIX ================================================================================ On Target PC: # Check listener configuration winrm enumerate winrm/config/listener # Should show: Listener Address = * Transport = HTTPS Port = 5986 Hostname = *.logon.ds.ge.com ← WILDCARD FORMAT ... From Management Server: # Test connection using specific hostname Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 # Should succeed because: # - Server listener: *.logon.ds.ge.com # - Client request: g9kn7pz3esf.logon.ds.ge.com # - Wildcard match: ✓ ================================================================================ APPLIES TO ALL PCS ================================================================================ This fix applies to ALL 175 shopfloor PCs: - All use the same wildcard certificate - All listeners configured with: Hostname=*.logon.ds.ge.com - All clients connect with specific FQDN: hostname.logon.ds.ge.com - Wildcard matching works for all PCs Example PCs: - g1jjvh63esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓ - g1jjxh63esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓ - g9kn7pz3esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓ - ... (all 175 PCs match) ================================================================================ VERIFICATION COMMANDS ================================================================================ Check Listener Configuration: winrm enumerate winrm/config/listener # Look for: Hostname = *.logon.ds.ge.com ← Must be wildcard! Check Certificate: Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*logon.ds.ge.com*"} | Select-Object Subject, Thumbprint, NotAfter Test Connection (from management server): Test-WSMan -ComputerName HOSTNAME.logon.ds.ge.com -UseSSL -Port 5986 Create Remote Session: $cred = Get-Credential Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 ================================================================================ STATUS ================================================================================ Fix Applied: ✓ YES File Updated: Setup-WinRM-HTTPS.ps1 Ready for Testing: ✓ YES Next Step: Re-run deployment on test PC (G9KN7PZ3ESF) ================================================================================ EXPECTED RESULTS ================================================================================ After running updated deployment script: 1. Certificate import: ✓ SUCCESS Subject: CN=*.logon.ds.ge.com 2. Listener creation: ✓ SUCCESS Hostname: *.logon.ds.ge.com (wildcard) 3. Test connection: ✓ SUCCESS Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL 4. Remote session: ✓ SUCCESS Enter-PSSession with -UseSSL flag ================================================================================ ADDITIONAL NOTES ================================================================================ - This is standard behavior for wildcard certificates with WinRM - The listener hostname MUST match the certificate CN exactly - Clients use specific FQDNs; wildcard matching happens automatically - This approach is documented in Microsoft's WinRM HTTPS documentation - No changes needed on client side (management server) ================================================================================ REFERENCES ================================================================================ WinRM Configuration: - Listener Address: * (all IP addresses) - Transport: HTTPS - Port: 5986 - Hostname: *.logon.ds.ge.com (must match cert CN) - Certificate Thumbprint: C1412765B2839E9081FCEA77BB1E6D8840203509 Wildcard Certificate: - Subject: CN=*.logon.ds.ge.com - Valid for: All subdomains of logon.ds.ge.com - Valid until: 2027-10-17 - Key Size: 2048-bit RSA ================================================================================