ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62c0c7bb06fa5cf497b782979b9a329ef58afcd1
powershell-scripts/winrm-https/winrm-ca-scripts/START-HERE.txt
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

154 lines
5.2 KiB
Plaintext
Raw Blame History

================================================================================
START HERE - WinRM HTTPS Certificate Authority Setup
================================================================================
Location: /tmp/winrm-ca-scripts/
All files have been created and are ready to use!
================================================================================
COPY THESE FILES TO YOUR WINDOWS COMPUTER
================================================================================
Copy ALL files in /tmp/winrm-ca-scripts/ to:
C:\users\570005354\Downloads\winrm-ca-scripts\
Files to copy:
1. Create-CA-Simple.ps1 - Creates Certificate Authority
2. Sign-BulkCertificates.ps1 - Signs 175 PC certificates
3. Test-RemotePC-Debug.ps1 - Debug script for remote PCs
4. Test-RemotePC-Debug.bat - Batch wrapper for debug script
5. shopfloor-hostnames.txt - List of 175 PC hostnames
6. README.txt - Full instructions
7. START-HERE.txt - This file
================================================================================
STEP-BY-STEP INSTRUCTIONS
================================================================================
STEP 1: Copy Files to Windows
------------------------------
From Linux terminal:
# If you have direct access to Windows filesystem:
cp -r /tmp/winrm-ca-scripts /mnt/c/users/570005354/Downloads/
# OR use WinSCP, scp, or any file transfer method
STEP 2: Create Certificate Authority
-------------------------------------
On Windows, in PowerShell as Administrator:
cd C:\users\570005354\Downloads\winrm-ca-scripts
.\Create-CA-Simple.ps1
Enter password when prompted: ShopfloorCA2025!
This creates:
- Shopfloor-WinRM-CA-YYYYMMDD.pfx (CA private key)
- Shopfloor-WinRM-CA-YYYYMMDD.cer (CA public cert)
STEP 3: Install CA on Your Computer
------------------------------------
Still in PowerShell as Administrator:
Import-Certificate -FilePath "Shopfloor-WinRM-CA-YYYYMMDD.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
Replace YYYYMMDD with the actual date from Step 2.
STEP 4: Sign All 175 PC Certificates
-------------------------------------
Still in PowerShell as Administrator:
$caPass = ConvertTo-SecureString "ShopfloorCA2025!" -AsPlainText -Force
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
.\Sign-BulkCertificates.ps1 `
-HostnameFile "shopfloor-hostnames.txt" `
-CAPfxPath "Shopfloor-WinRM-CA-YYYYMMDD.pfx" `
-CAPassword $caPass `
-CertificatePassword $certPass
This creates pc-certificates/batch-TIMESTAMP/ folder with 175 certificates.
STEP 5: Test on ONE PC First
-----------------------------
Deploy to G9KN7PZ3ESF for testing:
A. Copy certificate to PC:
Copy-Item "pc-certificates\batch-*\G9KN7PZ3ESF-*.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
B. On G9KN7PZ3ESF, import certificate:
$certPass = ConvertTo-SecureString "PCCert2025!" -AsPlainText -Force
$cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-*.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
C. Configure WinRM (if Setup-WinRM-HTTPS.ps1 is available):
.\Setup-WinRM-HTTPS.ps1 -CertificateThumbprint $cert.Thumbprint -Domain "logon.ds.ge.com"
STEP 6: Test Connection
------------------------
From YOUR computer:
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
SUCCESS! No -SessionOption needed!
STEP 7: Deploy to Remaining PCs
--------------------------------
Repeat Step 5 for each of the remaining 174 PCs.
Or create an automated deployment script (ask for help if needed).
================================================================================
TROUBLESHOOTING
================================================================================
If Remote PC Has Issues:
1. Copy Test-RemotePC-Debug.bat and Test-RemotePC-Debug.ps1 to the PC
2. Right-click Test-RemotePC-Debug.bat and "Run as Administrator"
3. Review the output to see what's wrong
Common Issues:
- Port 5986 not listening → WinRM listener not configured
- Certificate not found → Certificate not imported
- Firewall blocking → Firewall rule missing
================================================================================
WHAT YOU GET
================================================================================
BEFORE (Wildcard with bypasses):
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName PC -Credential $cred -UseSSL -SessionOption $sessionOption
⚠️ Certificate warnings, security bypasses
AFTER (CA with proper certs):
Enter-PSSession -ComputerName PC -Credential $cred -UseSSL -Port 5986
✅ Clean, secure, no warnings!
================================================================================
NEED HELP?
================================================================================
Read README.txt for full instructions.
All scripts are ready to use - just copy to Windows and run!
================================================================================
Reference in New Issue View Git Blame Copy Permalink