ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
powershell-scripts/winrm-https/WILDCARD-VS-CA-COMPARISON.txt
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

358 lines
15 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
================================================================================
WILDCARD CERTIFICATE vs CERTIFICATE AUTHORITY - COMPARISON
================================================================================
QUICK ANSWER: CA approach is BETTER - more secure AND easier to use!
================================================================================
SIDE-BY-SIDE COMPARISON
================================================================================
┌──────────────────────────────────────────────────────────────────────────┐
│ WILDCARD CERTIFICATE │
│ (Current Approach) │
└──────────────────────────────────────────────────────────────────────────┘
SETUP:
1. Generate ONE wildcard certificate (*.logon.ds.ge.com)
2. Deploy SAME certificate to all 175 PCs
3. Each PC gets exact same cert with CN=*.logon.ds.ge.com
CONNECTING FROM YOUR COMPUTER:
# Always need to skip certificate validation!
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986 `
-SessionOption $sessionOption ← REQUIRED!
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-SessionOption $sessionOption ← REQUIRED!
ISSUES WE HIT:
✗ Certificate CN mismatch error (had to fix with wildcard hostname)
✗ Certificate not trusted (must bypass validation)
✗ Security warning every time
✗ Same cert on all PCs (if compromised, all PCs affected)
SECURITY LEVEL: ⚠ Medium
- Certificate validation bypassed
- Same certificate on all systems
- No way to revoke for individual PC
┌──────────────────────────────────────────────────────────────────────────┐
│ CERTIFICATE AUTHORITY │
│ (Recommended Approach) │
└──────────────────────────────────────────────────────────────────────────┘
SETUP:
1. Generate ONE Certificate Authority
2. Use CA to sign 175 INDIVIDUAL certificates (one per PC)
3. Each PC gets its own cert with CN=hostname.logon.ds.ge.com
4. Install CA public certificate on YOUR computer
CONNECTING FROM YOUR COMPUTER:
# Clean and simple - no special options needed!
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# That's it! No -SessionOption!
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# That's it! No -SessionOption!
BENEFITS:
✓ No certificate CN mismatch (proper hostname in each cert)
✓ Certificate automatically trusted (CA is trusted)
✓ No security warnings
✓ Each PC has unique cert (compromised cert only affects one PC)
✓ Can revoke individual certificates
SECURITY LEVEL: ✓ High
- Full certificate validation
- Unique certificate per system
- Individual certificate revocation possible
================================================================================
DETAILED COMPARISON TABLE
================================================================================
Feature Wildcard Cert CA Approach
─────────────────────────────────────────────────────────────────────────────
Initial Setup Time 5 minutes 15 minutes
Certificates to Create 1 175
Certificate on Each PC Same Unique
Certificate Validation Bypassed Enforced
Security Warnings Yes (always) No
-SessionOption Required YES NO
Connection Command Long (with options) Short (clean)
CN in Certificate *.logon.ds.ge.com hostname.logon.ds.ge.com
If One Cert Compromised All 175 PCs at risk Only 1 PC affected
Individual Revocation Not possible Possible
Professional Approach No Yes
Enterprise Standard No Yes
Recommended by Microsoft No Yes
================================================================================
WHAT YOU TYPE WHEN CONNECTING
================================================================================
WILDCARD APPROACH (Current):
────────────────────────────────────────────────────────────────────────────
PS> $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
PS> $cred = Get-Credential
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 -SessionOption $sessionOption
WARNING: Certificate validation was bypassed!
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
CA APPROACH (Recommended):
────────────────────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
DIFFERENCE:
- Wildcard: 4 lines, security bypass, warnings
- CA: 2 lines, clean, secure
================================================================================
TIME INVESTMENT
================================================================================
WILDCARD CERTIFICATE:
────────────────────────────────────────────────────────────────────────────
One-time setup: 5 minutes (generate wildcard cert)
Per PC deployment: 3 minutes (copy and import same cert)
Total for 175 PCs: ~9 hours (5 min + 175 × 3 min)
Every connection: Extra typing for -SessionOption
Every connection: Security warnings
CERTIFICATE AUTHORITY:
────────────────────────────────────────────────────────────────────────────
One-time setup: 15 minutes (create CA, sign 175 certs, install CA)
Per PC deployment: 3 minutes (copy and import unique cert)
Total for 175 PCs: ~9 hours (15 min + 175 × 3 min)
Every connection: Clean, simple
Every connection: No security warnings
CONCLUSION: Same deployment time, but CA is cleaner to use forever!
================================================================================
SECURITY COMPARISON
================================================================================
SCENARIO: One certificate is compromised
────────────────────────────────────────────────────────────────────────────
WILDCARD APPROACH:
✗ ALL 175 PCs are compromised (same certificate)
✗ Must generate NEW wildcard certificate
✗ Must redeploy to ALL 175 PCs
✗ Major security incident
CA APPROACH:
✓ Only ONE PC is compromised (unique certificate)
✓ Revoke that one certificate
✓ Generate new certificate for that one PC
✓ Redeploy to only ONE PC
✓ Other 174 PCs unaffected
✓ Minor security incident
SCENARIO: Certificate expires
────────────────────────────────────────────────────────────────────────────
WILDCARD APPROACH:
- Generate new wildcard certificate
- Redeploy to ALL 175 PCs
CA APPROACH:
- CA valid for 10 years
- Sign 175 new certificates (5 minutes)
- Redeploy to all 175 PCs
- OR: Deploy in rolling fashion (25 PCs per month)
SCENARIO: Add 10 new PCs
────────────────────────────────────────────────────────────────────────────
WILDCARD APPROACH:
- Deploy existing wildcard cert to 10 new PCs
- Same cert as other 175 PCs
CA APPROACH:
- Sign 10 new certificates (1 minute)
- Deploy to 10 new PCs
- Each PC gets unique certificate
- Automatically trusted (CA already installed)
================================================================================
REAL-WORLD USAGE
================================================================================
SCENARIO: Daily remote management
────────────────────────────────────────────────────────────────────────────
WILDCARD APPROACH:
Every single connection:
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName HOSTNAME -Credential $cred -UseSSL `
-Port 5986 -SessionOption $sessionOption
Gets old fast!
CA APPROACH:
Every single connection:
Enter-PSSession -ComputerName HOSTNAME -Credential $cred -UseSSL -Port 5986
Clean and simple!
SCENARIO: Scripting automation
────────────────────────────────────────────────────────────────────────────
WILDCARD APPROACH:
Every script must include:
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
Invoke-Command -ComputerName $computers -SessionOption $sessionOption ...
CA APPROACH:
Clean script:
Invoke-Command -ComputerName $computers -UseSSL -Port 5986 ...
No special options needed!
================================================================================
CERTIFICATE INFORMATION
================================================================================
WILDCARD CERTIFICATE:
────────────────────────────────────────────────────────────────────────────
Subject: CN=*.logon.ds.ge.com
Issuer: CN=*.logon.ds.ge.com (self-signed)
Valid For: *.logon.ds.ge.com (all subdomains)
Trusted By: Nobody (must bypass validation)
Used By: All 175 PCs (same certificate)
CA-SIGNED CERTIFICATES:
────────────────────────────────────────────────────────────────────────────
Certificate Authority:
Subject: CN=Shopfloor WinRM CA
Issuer: CN=Shopfloor WinRM CA (self-signed)
Trusted By: All management computers
Individual PC Certificate (example):
Subject: CN=g9kn7pz3esf.logon.ds.ge.com
Issuer: CN=Shopfloor WinRM CA
Valid For: g9kn7pz3esf.logon.ds.ge.com (specific hostname)
Trusted By: Any computer that trusts Shopfloor WinRM CA
Used By: Only G9KN7PZ3ESF (unique certificate)
================================================================================
MIGRATION PATH
================================================================================
If you already deployed wildcard certificates, you can migrate:
STEP 1: Create CA and sign certificates
.\Create-CertificateAuthority.ps1
.\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt
STEP 2: Install CA on management computers
Import-Certificate -FilePath "CA.cer" -CertStoreLocation Cert:\LocalMachine\Root
STEP 3: Replace certificates on PCs (one at a time or in batches)
- Import new CA-signed certificate
- Reconfigure WinRM listener
- Remove old wildcard certificate
- Test connection
STEP 4: Clean up
- Remove wildcard certificate from management computers
- Update documentation
- Securely store CA private key
================================================================================
RECOMMENDATION
================================================================================
RECOMMENDED: Certificate Authority Approach
WHY?
1. MORE SECURE: Individual certificates, proper validation
2. EASIER TO USE: No -SessionOption needed, cleaner commands
3. ENTERPRISE STANDARD: Proper PKI infrastructure
4. BETTER ISOLATION: Compromised cert only affects one PC
5. SCALABLE: Easy to add new PCs
6. PROFESSIONAL: Industry best practice
WHEN TO USE WILDCARD?
- Quick testing only
- Non-production environments
- Temporary setups
- When you're in a hurry and will fix it later
FOR PRODUCTION (175 PCs):
✓ Use Certificate Authority
✓ Sign individual certificates
✓ Proper certificate validation
✓ No security bypasses
================================================================================
SUMMARY
================================================================================
Wildcard CA
──────────────────────────────────────────
Setup Complexity Low Medium
Long-term Usability Poor Excellent
Security Medium High
Certificate Validation Bypassed Enforced
Connection Simplicity Complex Simple
Enterprise Ready No Yes
Recommended for 175 PCs No Yes
BOTTOM LINE:
CA approach is slightly more setup work, but MUCH better for daily use
and significantly more secure. For 175 production PCs, CA is the right choice.
================================================================================
NEXT STEPS
================================================================================
TO SWITCH TO CA APPROACH:
1. Read: CA-APPROACH-GUIDE.md (detailed walkthrough)
2. Run: .\Create-CertificateAuthority.ps1
3. Run: .\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt
4. Install CA on your management computer
5. Deploy individual certificates to PCs
6. Enjoy clean, secure connections!
TO CONTINUE WITH WILDCARD:
1. Re-run deployment with fixed wildcard script
2. Continue using -SessionOption for all connections
3. Accept security bypass warnings
4. Plan to migrate to CA later
================================================================================
Reference in New Issue View Git Blame Copy Permalink