ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62c0c7bb06fa5cf497b782979b9a329ef58afcd1
powershell-scripts/winrm-https/winrm-ca-scripts/AFTER-BULK-SIGNING.txt
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

316 lines
9.6 KiB
Plaintext
Raw Blame History

================================================================================
AFTER RUNNING BULK CERTIFICATE SIGNING - WHAT'S NEXT?
================================================================================
You just ran: .\Sign-BulkCertificates.ps1
Now you have 175 individual certificates ready to deploy!
================================================================================
WHAT YOU HAVE NOW
================================================================================
Folder created: pc-certificates\batch-YYYYMMDD-HHMMSS\
Inside this folder:
- 175 PFX files (one per PC)
Example: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
- 175 CER files (public certificates)
Example: G9KN7PZ3ESF-logon.ds.ge.com-20251017.cer
- certificate-list.csv (spreadsheet of all certificates)
- SUMMARY.txt (summary report)
================================================================================
NEXT STEP: DEPLOY TO ONE PC (TEST FIRST!)
================================================================================
Test on: G9KN7PZ3ESF
STEP 1: Copy Certificate to the PC
-----------------------------------
From YOUR computer (H2PRFM94):
# Navigate to the certificate folder
cd pc-certificates\batch-*
# Copy to the test PC
Copy-Item "G9KN7PZ3ESF-logon.ds.ge.com-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
If that doesn't work (network path issue):
- Copy the file to a USB drive
- Or use network share location
- Or RDP to the PC and copy directly
STEP 2: Import Certificate on the PC
-------------------------------------
ON THE PC (G9KN7PZ3ESF), in PowerShell as Administrator:
# Import the certificate
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
$cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
# Show the certificate (verify it worked)
$cert | Format-List Subject, Issuer, Thumbprint, NotAfter
You should see:
Subject: CN=g9kn7pz3esf.logon.ds.ge.com
Issuer: CN=Shopfloor WinRM CA
Thumbprint: (long string)
NotAfter: (expiration date)
STEP 3: Configure WinRM HTTPS
------------------------------
Still ON THE PC (G9KN7PZ3ESF):
Option A - If you have Setup-WinRM-HTTPS.ps1 on the PC:
.\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
Option B - Manual configuration (if no script):
# Enable WinRM
Enable-PSRemoting -Force -SkipNetworkProfileCheck
# Remove old HTTPS listener (if exists)
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
# Create HTTPS listener with the certificate
$hostname = "g9kn7pz3esf.logon.ds.ge.com"
winrm create winrm/config/Listener?Address=*+Transport=HTTPS `
"@{Hostname=`"$hostname`";CertificateThumbprint=`"$($cert.Thumbprint)`";Port=`"5986`"}"
# Create firewall rule
New-NetFirewallRule -DisplayName "WinRM HTTPS-In" `
-Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow
STEP 4: Verify Configuration on the PC
---------------------------------------
Still ON THE PC (G9KN7PZ3ESF):
# Check WinRM service
Get-Service WinRM
# Should show: Running
# Check listeners
winrm enumerate winrm/config/listener
# Should show HTTPS listener on port 5986
# Hostname should be: g9kn7pz3esf.logon.ds.ge.com
# Check port
netstat -an | findstr :5986
# Should show: 0.0.0.0:5986 LISTENING
# Check firewall
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"
# Should show: Enabled = True
If any of these fail, run Test-RemotePC-Debug.bat on the PC!
STEP 5: Test Connection from YOUR Computer
-------------------------------------------
Back on YOUR computer (H2PRFM94):
# Test basic connectivity
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
Expected output:
wsmid : http://schemas.dmtf.org/...
ProtocolVersion : http://schemas.dmtf.org/...
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
✅ SUCCESS! No certificate errors!
# Test interactive session
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
Expected result:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
✅ You're now connected to the remote PC!
# Try some commands:
hostname
Get-Service WinRM
Exit-PSSession
================================================================================
IF TEST PC WORKS - DEPLOY TO MORE PCs
================================================================================
Deploy to 3-5 more PCs for additional testing:
- G1JJVH63ESF
- G1JJXH63ESF
- G1JKYH63ESF
- etc.
For each PC, repeat Steps 1-5 above.
================================================================================
BULK DEPLOYMENT TO ALL 175 PCs
================================================================================
Once 5+ PCs are working successfully, deploy to all remaining PCs.
Option A - Manual Deployment (Safe but slow):
- Deploy 10-20 PCs at a time
- Verify each batch works before continuing
- Track progress in a spreadsheet
Option B - Automated Deployment (Faster):
Create a deployment script:
$pcs = Get-Content "shopfloor-hostnames.txt"
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
foreach ($pc in $pcs) {
$fqdn = "$pc.logon.ds.ge.com"
Write-Host "Deploying to $pc..." -ForegroundColor Yellow
try {
# Copy certificate
$certFile = Get-ChildItem "pc-certificates\batch-*\$pc-*.pfx"
Copy-Item $certFile.FullName -Destination "\\$fqdn\C$\Temp\"
# Import and configure remotely
Invoke-Command -ComputerName $fqdn -ScriptBlock {
param($certPath, $certPassword)
$pass = ConvertTo-SecureString $certPassword -AsPlainText -Force
$cert = Import-PfxCertificate -FilePath $certPath `
-CertStoreLocation Cert:\LocalMachine\My -Password $pass
# Configure WinRM (add WinRM configuration commands here)
} -ArgumentList "C:\Temp\$($certFile.Name)", "PCCert2025!"
Write-Host " [OK] $pc deployed successfully" -ForegroundColor Green
} catch {
Write-Host " [ERROR] $pc failed: $($_.Exception.Message)" -ForegroundColor Red
}
}
Note: You'd need to adapt this for your environment.
================================================================================
TRACKING DEPLOYMENT
================================================================================
Create a tracking spreadsheet with columns:
- Hostname
- Certificate Deployed (Yes/No/Date)
- WinRM Configured (Yes/No/Date)
- Connection Tested (Yes/No/Date)
- Notes
Use the certificate-list.csv as a starting point!
================================================================================
TROUBLESHOOTING
================================================================================
If a PC won't connect:
1. Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to that PC
2. Right-click Test-RemotePC-Debug.bat, "Run as Administrator"
3. Review the output to find the issue
Common problems:
❌ Port 5986 not listening → WinRM listener not created
❌ Certificate not found → Certificate not imported
❌ Firewall blocking → Firewall rule missing
❌ Wrong hostname in cert → Used wrong PFX file
================================================================================
VERIFICATION CHECKLIST
================================================================================
For each deployed PC, verify:
✓ Certificate imported (Cert:\LocalMachine\My)
✓ Certificate issued by "Shopfloor WinRM CA"
✓ WinRM service running
✓ HTTPS listener on port 5986
✓ Listener hostname matches PC FQDN
✓ Firewall rule enabled
✓ Port 5986 listening
✓ Can connect from management computer
✓ No certificate warnings
================================================================================
FINAL RESULT
================================================================================
After deploying all 175 PCs, you can connect to ANY of them with:
$cred = Get-Credential
Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
Clean, secure, no certificate bypasses!
Run commands on multiple PCs:
$computers = @("g9kn7pz3esf", "g1jjvh63esf", "g1jjxh63esf")
Invoke-Command -ComputerName ($computers | ForEach-Object {"$_.logon.ds.ge.com"}) `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock {
Get-Service WinRM | Select-Object Name, Status
}
Collect data from all 175 PCs in seconds!
================================================================================
SUMMARY
================================================================================
Next Steps After Bulk Signing:
1. ✅ Deploy to ONE PC (G9KN7PZ3ESF) - TEST FIRST
2. ✅ Verify connection works
3. ✅ Deploy to 3-5 more PCs
4. ✅ Deploy to remaining PCs in batches
5. ✅ Track progress
6. ✅ Verify all deployments
7. ✅ Celebrate! 🎉
================================================================================
NEED HELP?
================================================================================
- Certificate issues → Run Test-RemotePC-Debug.bat on the PC
- Connection issues → Check firewall, WinRM service, listener
- Can't copy files → Check network paths, permissions
- General questions → Review README.txt
All scripts and documentation are in /home/camp/winrm-ca-scripts/
================================================================================
Reference in New Issue View Git Blame Copy Permalink