62c0c7bb06
Structure: - asset-collection/: Local PC data collection scripts - remote-execution/: WinRM remote execution scripts - setup-utilities/: Configuration and testing utilities - registry-backup/: GE registry backup scripts - winrm-https/: WinRM HTTPS certificate setup - docs/: Complete documentation Each folder includes a README with detailed documentation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
16 KiB
16 KiB
Certificate Authority Approach - Complete Workflow
Overview
Instead of using a wildcard certificate, you create a Certificate Authority (CA) and use it to sign individual certificates for each PC. This is more secure and proper.
The Complete Picture
┌─────────────────────────────────────────────────────────────────┐
│ ONE-TIME CA SETUP │
└─────────────────────────────────────────────────────────────────┘
1. CREATE CERTIFICATE AUTHORITY (Do Once)
┌────────────────────────────────────┐
│ Run on secure admin computer: │
│ .\Create-CertificateAuthority.ps1 │
└────────────────────────────────────┘
│
├─► Creates: Shopfloor-WinRM-CA-20251017.pfx (PRIVATE KEY - KEEP SECURE!)
└─► Creates: Shopfloor-WinRM-CA-20251017.cer (PUBLIC CERT - DISTRIBUTE)
2. SIGN CERTIFICATES FOR ALL 175 PCs (Do Once)
┌────────────────────────────────────────────────────────────┐
│ Run on secure admin computer: │
│ .\Sign-BulkPCCertificates.ps1 \ │
│ -HostnameFile shopfloor-hostnames.txt \ │
│ -CAPfxPath "Shopfloor-WinRM-CA-20251017.pfx" │
└────────────────────────────────────────────────────────────┘
│
├─► Creates: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
├─► Creates: G1JJVH63ESF-logon.ds.ge.com-20251017.pfx
├─► Creates: G1JJXH63ESF-logon.ds.ge.com-20251017.pfx
└─► Creates: ... (175 individual certificates)
3. INSTALL CA ON YOUR MANAGEMENT COMPUTER (Do Once Per Computer)
┌────────────────────────────────────────────────────────────┐
│ Run on YOUR computer (H2PRFM94): │
│ Import-Certificate \ │
│ -FilePath "Shopfloor-WinRM-CA-20251017.cer" \ │
│ -CertStoreLocation Cert:\LocalMachine\Root │
└────────────────────────────────────────────────────────────┘
│
└─► YOUR computer now trusts ALL certificates signed by this CA!
┌─────────────────────────────────────────────────────────────────┐
│ DEPLOY TO EACH SHOPFLOOR PC │
└─────────────────────────────────────────────────────────────────┘
4. DEPLOY TO EACH PC (Do for Each of 175 PCs)
PC: G9KN7PZ3ESF
┌────────────────────────────────────────────────────────────┐
│ Copy to PC: │
│ G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx │
│ │
│ Import on PC: │
│ Import-PfxCertificate \ │
│ -FilePath "G9KN7PZ3ESF-logon.ds.ge.com.pfx" \ │
│ -CertStoreLocation Cert:\LocalMachine\My \ │
│ -Password $pass │
│ │
│ Configure WinRM: │
│ .\Setup-WinRM-HTTPS.ps1 \ │
│ -CertificateThumbprint "ABC123..." \ │
│ -Domain "logon.ds.ge.com" │
└────────────────────────────────────────────────────────────┘
│
└─► PC has certificate: CN=g9kn7pz3esf.logon.ds.ge.com
Signed by: Shopfloor WinRM CA
┌─────────────────────────────────────────────────────────────────┐
│ CONNECTING FROM YOUR COMPUTER │
└─────────────────────────────────────────────────────────────────┘
5. CONNECT FROM YOUR COMPUTER (No Special Options Needed!)
┌────────────────────────────────────────────────────────────┐
│ On YOUR computer (H2PRFM94): │
│ │
│ # No -SessionOption needed! │
│ Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com \ │
│ -UseSSL -Port 5986 │
│ │
│ # Interactive session - just works! │
│ $cred = Get-Credential │
│ Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com\│
│ -Credential $cred -UseSSL -Port 5986 │
└────────────────────────────────────────────────────────────┘
│
└─► WORKS! No certificate errors!
Why? Because YOUR computer trusts the CA,
and the PC's certificate is signed by that CA.
Why This Works
Without CA (Current Wildcard Approach):
Your Computer Remote PC
│ │
├─ Tries to connect ────────────────►│
│ │
│◄─── Presents certificate ───────────┤
│ CN=*.logon.ds.ge.com │
│ Self-signed (untrusted) │
│ │
├─ ❌ ERROR: Untrusted certificate │
│ │
└─ Must use -SessionOption
to skip validation
With CA (New Approach):
Your Computer Remote PC
│ │
│ Has CA installed │ Has individual cert
│ Trusts: Shopfloor WinRM CA │ CN=g9kn7pz3esf.logon.ds.ge.com
│ │ Signed by: Shopfloor WinRM CA
│ │
├─ Tries to connect ────────────────►│
│ │
│◄─── Presents certificate ───────────┤
│ CN=g9kn7pz3esf.logon.ds.ge.com │
│ Signed by: Shopfloor WinRM CA │
│ │
├─ Checks issuer: Shopfloor WinRM CA │
├─ Do I trust this issuer? │
├─ YES! (CA is in Trusted Root) │
├─ ✓ Certificate trusted │
│ │
└─ Connection succeeds! ◄─────────────┘
No -SessionOption needed!
Step-by-Step: What You'll Do
PHASE 1: Setup (One Time)
Step 1: Create the CA (5 minutes)
# On your secure admin computer
.\Create-CertificateAuthority.ps1
# Prompts for CA password
# Creates:
# Shopfloor-WinRM-CA-20251017.pfx (KEEP SECURE!)
# Shopfloor-WinRM-CA-20251017.cer (Install on management PCs)
Files created:
Shopfloor-WinRM-CA-20251017.pfx- CA private key (SECURE THIS!)Shopfloor-WinRM-CA-20251017.cer- CA public certificate (distribute to management PCs)
Step 2: Sign All 175 PC Certificates (10 minutes)
# On your secure admin computer
$caPass = ConvertTo-SecureString "YourCAPassword" -AsPlainText -Force
$certPass = ConvertTo-SecureString "PCCertPassword123" -AsPlainText -Force
.\Sign-BulkPCCertificates.ps1 `
-HostnameFile shopfloor-hostnames.txt `
-CAPfxPath "Shopfloor-WinRM-CA-20251017.pfx" `
-CAPassword $caPass `
-CertificatePassword $certPass `
-Domain "logon.ds.ge.com"
Files created:
G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfxG1JJVH63ESF-logon.ds.ge.com-20251017.pfxG1JJXH63ESF-logon.ds.ge.com-20251017.pfx- ... (175 total, one per PC)
Step 3: Install CA on Your Computer (2 minutes)
# On YOUR computer (H2PRFM94) - Run as Administrator
Import-Certificate `
-FilePath "C:\path\to\Shopfloor-WinRM-CA-20251017.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Result: Your computer now trusts ALL certificates signed by this CA.
PHASE 2: Deploy to PCs (Repeat for Each PC)
Step 4: Deploy to First PC (Test)
# Copy certificate to PC
Copy-Item "G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
# On the PC (G9KN7PZ3ESF), run as Administrator:
$certPass = ConvertTo-SecureString "PCCertPassword123" -AsPlainText -Force
$cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
# Configure WinRM with this certificate
.\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
PHASE 3: Test Connection
Step 5: Connect from Your Computer
# On YOUR computer (H2PRFM94)
# Test basic connectivity - NO -SessionOption needed!
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# ✓ Works! No certificate errors!
# Get credentials
$cred = Get-Credential
# Interactive session - NO -SessionOption needed!
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# ✓ Connected! No certificate warnings!
# Run remote command
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock { hostname }
# Returns: G9KN7PZ3ESF
The key difference: No more -SessionOption $sessionOption! The certificates are properly trusted.
Comparison: Before vs After
Before (Wildcard Certificate):
# Had to skip certificate validation
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
# Every connection needed this:
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-SessionOption $sessionOption # ← Required!
Problems:
- ❌ Certificate validation bypassed (insecure)
- ❌ Same certificate on all 175 PCs
- ❌ If compromised, affects all PCs
- ❌ Certificate CN mismatch errors
After (CA-Signed Individual Certificates):
# Clean, simple connection
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# That's it! No -SessionOption needed!
Benefits:
- ✅ Proper certificate validation (secure)
- ✅ Each PC has its own certificate
- ✅ If one compromised, only affects one PC
- ✅ Proper hostname in certificate (no CN mismatch)
- ✅ Easy to revoke individual certificates
- ✅ Professional enterprise approach
What Gets Deployed Where
Your Management Computer (H2PRFM94):
Cert:\LocalMachine\Root\
└─ Shopfloor WinRM CA ← CA public certificate ONLY
(No private key)
Each Shopfloor PC:
Cert:\LocalMachine\My\
└─ CN=g9kn7pz3esf.logon.ds.ge.com ← Individual certificate
Issued by: Shopfloor WinRM CA
(Has private key for this PC only)
Secure Admin Computer (Where You Create Certs):
Shopfloor-WinRM-CA-20251017.pfx ← CA PRIVATE KEY (SECURE!)
G9KN7PZ3ESF-logon.ds.ge.com.pfx ← PC certificates (175 files)
G1JJVH63ESF-logon.ds.ge.com.pfx
... (175 total)
Security Advantages
Wildcard Certificate Approach:
One certificate compromised = All 175 PCs compromised
Must revoke and redeploy to ALL PCs
CA Approach:
One certificate compromised = Only that PC compromised
Revoke individual certificate
Only redeploy to that one PC
Other 174 PCs unaffected
Real-World Example
Your First Connection:
-
Install CA on your computer (one time):
Import-Certificate -FilePath "Shopfloor-WinRM-CA.cer" ` -CertStoreLocation Cert:\LocalMachine\Root -
Deploy certificate to G9KN7PZ3ESF (one time per PC):
# Copy and import certificate on the PC # Configure WinRM -
Connect from your computer (anytime):
# Simple, clean, secure $cred = Get-Credential Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com ` -Credential $cred -UseSSL -Port 5986 -
Result:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>No certificate errors! It just works!
Certificate Chain Verification
When you connect, Windows automatically validates:
1. PC presents certificate: CN=g9kn7pz3esf.logon.ds.ge.com
↓
2. Check issuer: Shopfloor WinRM CA
↓
3. Is "Shopfloor WinRM CA" in Trusted Root?
↓
4. YES! Found in Cert:\LocalMachine\Root
↓
5. ✓ Certificate trusted
↓
6. ✓ Connection allowed
Summary: What Changes for You
Current Workflow (Wildcard):
- Connect to PC
- Get certificate error
- Use
-SessionOptionto bypass validation - Warning: Certificate not validated
New Workflow (CA):
- Connect to PC
- Certificate automatically validated
- Connection succeeds
- No warnings, fully secure
It's actually EASIER and MORE SECURE!
Quick Start Commands
# 1. Create CA (one time)
.\Create-CertificateAuthority.ps1
# 2. Sign all PC certificates (one time)
.\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt
# 3. Install CA on your computer (one time)
Import-Certificate -FilePath "CA.cer" -CertStoreLocation Cert:\LocalMachine\Root
# 4. Deploy to PCs (repeat for each)
# (Copy PFX, import, configure WinRM)
# 5. Connect (anytime) - SIMPLE!
$cred = Get-Credential
Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986
Questions?
Q: Do I need to install anything on each PC besides its own certificate? A: No! Each PC only gets its own certificate. The CA certificate is only installed on management computers.
Q: What if I add more PCs later?
A: Use Sign-PCCertificate.ps1 to sign a certificate for the new PC. Any computer that trusts the CA will automatically trust the new certificate.
Q: Can multiple people manage these PCs? A: Yes! Install the CA certificate on each management computer. All will trust the PC certificates.
Q: What happens when certificates expire (2 years)? A: Sign new certificates using the same CA. The CA is valid for 10 years.
Q: Is this really better than the wildcard certificate?
A: YES! It's more secure, more professional, and actually easier to use because you don't need -SessionOption anymore.
Bottom line: You'll have cleaner, simpler, more secure connections with NO certificate warnings or bypasses!