ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62c0c7bb06fa5cf497b782979b9a329ef58afcd1
powershell-scripts/winrm-https/winrm-ca-scripts/SINGLE-PC-TEST.txt
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

354 lines
12 KiB
Plaintext
Raw Blame History

================================================================================
SINGLE PC TEST - QUICK START
================================================================================
Test the entire certificate deployment on ONE PC before deploying to all 175.
Test PC: G9KN7PZ3ESF
================================================================================
STEP 1: CREATE CA (ONE TIME - 5 MINUTES)
================================================================================
On YOUR computer (H2PRFM94):
PS> cd C:\path\to\winrm-ca-scripts
PS> .\Create-CA-Simple.ps1
Enter password: ShopfloorCA2025!
Output:
✓ Shopfloor-WinRM-CA-20251017.pfx
✓ Shopfloor-WinRM-CA-20251017.cer
================================================================================
STEP 2: INSTALL CA ON YOUR COMPUTER (2 MINUTES)
================================================================================
Still on YOUR computer:
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-20251017.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Result:
✓ Your computer now trusts all certificates signed by this CA
================================================================================
STEP 3: SIGN CERTIFICATE FOR TEST PC (2 MINUTES)
================================================================================
Option A: Sign just ONE certificate
────────────────────────────────────────────────────────────────
Create a test file with just one hostname:
PS> "G9KN7PZ3ESF" | Out-File "test-hostname.txt"
PS> .\Sign-BulkCertificates.ps1 -HostnameFile "test-hostname.txt"
Enter CA password: ShopfloorCA2025!
Enter PC cert password: PCCert2025!
Output:
✓ pc-certificates\batch-TIMESTAMP\G9KN7PZ3ESF-logon.ds.ge.com-*.pfx
Option B: Sign ALL 175, but only deploy one
────────────────────────────────────────────────────────────────
PS> .\Sign-BulkCertificates.ps1
Enter CA password: ShopfloorCA2025!
Enter PC cert password: PCCert2025!
Output:
✓ pc-certificates\batch-TIMESTAMP\ (175 certificates)
You'll only deploy one for testing
================================================================================
STEP 4: DEPLOY TO TEST PC (5 MINUTES)
================================================================================
Method 1: Network Share Deployment (Recommended)
────────────────────────────────────────────────────────────────
A. Copy to network share:
PS> Copy-Item "pc-certificates\batch-*" `
-Destination "S:\dt\adata\script\deploy\pc-certificates\" `
-Recurse
PS> Copy-Item "Deploy-PCCertificate.ps1" `
-Destination "S:\dt\adata\script\deploy\"
PS> Copy-Item "Deploy-PCCertificate.bat" `
-Destination "S:\dt\adata\script\deploy\"
B. On the test PC (G9KN7PZ3ESF):
1. Navigate to: S:\dt\adata\script\deploy\
2. Right-click: Deploy-PCCertificate.bat
3. Select: "Run as Administrator"
4. Enter password: PCCert2025!
5. Wait for SUCCESS message
Result:
✓ Certificate automatically found and imported
✓ WinRM HTTPS configured
✓ Firewall rule created
✓ Log saved to: S:\dt\adata\script\deploy\LOGS\G9KN7PZ3ESF-*.txt
Method 2: Manual Deployment (If network share not ready)
────────────────────────────────────────────────────────────────
A. Copy certificate to PC:
PS> Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
PS> Copy-Item "Setup-WinRM-HTTPS.ps1" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
B. On the PC (G9KN7PZ3ESF), as Administrator:
PS> cd C:\Temp
# Import certificate
PS> $certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
PS> $cert = Import-PfxCertificate `
-FilePath "G9KN7PZ3ESF-*.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
# Configure WinRM
PS> .\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
Result:
✓ Certificate imported
✓ WinRM HTTPS listener created
✓ Firewall configured
================================================================================
STEP 5: VERIFY ON THE PC (2 MINUTES)
================================================================================
On the test PC (G9KN7PZ3ESF):
# Check certificate
PS> Get-ChildItem Cert:\LocalMachine\My | Where-Object {
$_.Subject -like "*G9KN7PZ3ESF*"
} | Format-List Subject, Issuer, Thumbprint
Expected:
Subject : CN=g9kn7pz3esf.logon.ds.ge.com
Issuer : CN=Shopfloor WinRM CA
Thumbprint : (long string)
# Check WinRM service
PS> Get-Service WinRM
Expected:
Status Name DisplayName
------ ---- -----------
Running WinRM Windows Remote Management (WS-Manag...
# Check listener
PS> winrm enumerate winrm/config/listener
Expected:
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = g9kn7pz3esf.logon.ds.ge.com
...
# Check port
PS> netstat -an | findstr :5986
Expected:
TCP 0.0.0.0:5986 0.0.0.0:0 LISTENING
✓ All checks passed!
================================================================================
STEP 6: TEST CONNECTION FROM YOUR COMPUTER (3 MINUTES)
================================================================================
Back on YOUR computer (H2PRFM94):
A. Test basic connectivity
─────────────────────────────────────────────────────────────
PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
Expected Output:
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
✅ SUCCESS = WinRM is working with HTTPS!
B. Test interactive session
─────────────────────────────────────────────────────────────
PS> $cred = Get-Credential
# Enter your domain credentials
PS> Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
Expected:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
✅ SUCCESS = You're connected!
Try commands:
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> hostname
G9KN7PZ3ESF
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Get-Service WinRM
Running WinRM Windows Remote Management
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\> Exit-PSSession
C. Test remote command execution
─────────────────────────────────────────────────────────────
PS> Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock { Get-ComputerInfo | Select-Object CsName, WindowsVersion }
Expected:
CsName WindowsVersion
------ --------------
G9KN7PZ3ESF 2009
✅ SUCCESS = Remote commands work!
================================================================================
KEY OBSERVATIONS
================================================================================
Notice what you DON'T need:
❌ No -SessionOption parameter
❌ No -SkipCNCheck
❌ No -SkipCACheck
❌ No -SkipRevocationCheck
❌ No certificate bypass tricks
This is CLEAN and SECURE because:
✓ Your computer trusts the CA
✓ PC certificate is signed by trusted CA
✓ Certificate CN matches hostname
✓ Full certificate chain validation works
================================================================================
TROUBLESHOOTING
================================================================================
If Test-WSMan fails:
────────────────────────────────────────────────────────────────
1. Copy Test-RemotePC-Debug.bat to the PC
2. Run it as Administrator on the PC
3. Review output to identify the issue
Common issues:
- Port 5986 not listening → Re-run Setup-WinRM-HTTPS.ps1
- Certificate not found → Re-import certificate
- Firewall blocking → Check firewall rule
- DNS not resolving → Use IP address for testing
If connection works but certificate errors appear:
────────────────────────────────────────────────────────────────
Check if CA is installed on YOUR computer:
PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
$_.Subject -like "*Shopfloor*"
}
If not found:
PS> Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
================================================================================
SUCCESS CRITERIA
================================================================================
The test is successful when:
✓ Test-WSMan works without errors
✓ Enter-PSSession connects without -SessionOption
✓ No certificate warnings
✓ Remote commands execute successfully
✓ Connection is clean and secure
================================================================================
AFTER SUCCESSFUL TEST
================================================================================
Once ONE PC works perfectly:
1. Test 3-5 more PCs using same process
2. If all tests pass, proceed to full deployment
3. Deploy to remaining 170 PCs in batches
4. Use COMPLETE-WORKFLOW.txt for full deployment guide
================================================================================
TIME ESTIMATE
================================================================================
Total time to test ONE PC:
- Create CA: 5 minutes (one time)
- Install CA on your computer: 2 minutes (one time)
- Sign certificate for test PC: 2 minutes
- Deploy to PC: 5 minutes
- Verify configuration: 2 minutes
- Test connection: 3 minutes
─────────────────────────────────
Total: ~20 minutes for first PC
Subsequent PCs: ~4 minutes each (CA already created)
================================================================================
SUMMARY
================================================================================
Single PC Test Process:
1. Create CA (one time)
2. Install CA on your computer (one time)
3. Sign certificate for G9KN7PZ3ESF
4. Deploy certificate to G9KN7PZ3ESF
5. Test connection from your computer
6. Verify clean, secure connection
If successful → Deploy to all 175 PCs
If issues → Debug on test PC before continuing
================================================================================
Reference in New Issue View Git Blame Copy Permalink