powershell-scripts/winrm-https/winrm-ca-scripts/README.txt

================================================================================
WinRM HTTPS Certificate Authority Scripts
================================================================================

Files Included:
---------------

1. Create-CA-Simple.ps1
   - Creates a Certificate Authority
   - Run this FIRST on your management computer
   - Generates CA certificate files

2. Sign-BulkCertificates.ps1
   - Signs certificates for all 175 PCs
   - Run this AFTER creating the CA
   - Requires: CA PFX file and shopfloor-hostnames.txt

3. Test-RemotePC-Debug.ps1
   - Debug script to run ON THE REMOTE PC
   - Checks WinRM configuration, certificates, firewall, etc.

4. Test-RemotePC-Debug.bat
   - Batch file to run the debug script
   - Right-click "Run as Administrator"

================================================================================
QUICK START
================================================================================

STEP 1: Create Certificate Authority
-------------------------------------
On YOUR computer (H2PRFM94), as Administrator:

  PS> cd C:\users\570005354\Downloads\winrm-ca-scripts
  PS> .\Create-CA-Simple.ps1

  Enter password: ShopfloorCA2025!
  Confirm password: ShopfloorCA2025!

Files created:
  - Shopfloor-WinRM-CA-YYYYMMDD.pfx  (CA private key - KEEP SECURE!)
  - Shopfloor-WinRM-CA-YYYYMMDD.cer  (CA public certificate)
  - CA-INFO-YYYYMMDD.txt             (Information)


STEP 2: Install CA on Your Computer
------------------------------------
On YOUR computer (H2PRFM94), as Administrator:

  PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-YYYYMMDD.cer" `
          -CertStoreLocation Cert:\LocalMachine\Root

This makes your computer trust all certificates signed by this CA!


STEP 3: Sign PC Certificates
-----------------------------
On YOUR computer (H2PRFM94), as Administrator:

  PS> $caPass = ConvertTo-SecureString "ShopfloorCA2025!" -AsPlainText -Force
  PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
  PS> .\Sign-BulkCertificates.ps1 `
          -HostnameFile "C:\path\to\shopfloor-hostnames.txt" `
          -CAPfxPath "Shopfloor-WinRM-CA-YYYYMMDD.pfx" `
          -CAPassword $caPass `
          -CertificatePassword $certPass

Creates:
  - pc-certificates/batch-TIMESTAMP/  (folder with 175 PFX files)


STEP 4: Debug Remote PC (If Issues)
------------------------------------
Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to the remote PC.

On the remote PC, right-click Test-RemotePC-Debug.bat and "Run as Administrator"

This will show:
  - WinRM service status
  - Listeners configured
  - Ports listening
  - Firewall rules
  - Certificates installed
  - Network information

Use this output to troubleshoot issues!


STEP 5: Deploy to One PC (Test)
--------------------------------
For PC: G9KN7PZ3ESF

A. Copy certificate to PC:
   PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx" `
           -Destination "\\G9KN7PZ3ESF\C$\Temp\"

B. On the PC (G9KN7PZ3ESF), import certificate:
   PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
   PS> $cert = Import-PfxCertificate `
           -FilePath "C:\Temp\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx" `
           -CertStoreLocation Cert:\LocalMachine\My `
           -Password $certPass

C. Configure WinRM:
   PS> .\Setup-WinRM-HTTPS.ps1 `
           -CertificateThumbprint $cert.Thumbprint `
           -Domain "logon.ds.ge.com"


STEP 6: Test Connection
------------------------
From YOUR computer (H2PRFM94):

  PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986

  PS> $cred = Get-Credential
  PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
          -Credential $cred -UseSSL -Port 5986

No -SessionOption needed! Clean and secure!


================================================================================
TROUBLESHOOTING
================================================================================

Problem: Cannot create CA
Solution: Make sure running as Administrator

Problem: Sign-BulkCertificates.ps1 fails
Solution: Check that CA PFX file exists and password is correct

Problem: Cannot connect to remote PC
Solution:
  1. Run Test-RemotePC-Debug.bat on the remote PC
  2. Check that port 5986 is listening
  3. Check that HTTPS listener exists
  4. Check that certificate is imported
  5. Check that firewall rule exists

Problem: Certificate not trusted
Solution: Make sure CA certificate is installed on YOUR computer:
  Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"}

================================================================================
PASSWORDS USED
================================================================================

CA Password: ShopfloorCA2025!
  - Protects CA private key (PFX file)
  - Keep secure!

PC Certificate Password: PCCert2025!
  - Same password for all 175 PC certificates
  - Used when importing certificates on PCs

================================================================================
SECURITY NOTES
================================================================================

1. CA Private Key (PFX file):
   - KEEP SECURE! Can sign certificates for any PC
   - Store in password manager or secure vault
   - Never share via email or chat

2. CA Public Certificate (CER file):
   - Safe to distribute to all management computers
   - Install in Trusted Root Certification Authorities

3. PC Certificates:
   - Each PC gets its own unique certificate
   - All use same password for simplicity
   - Only deploy to the specific PC (not others)

================================================================================