ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d3519f613c6ba5a1a7f8920f0108345b3bd021f
powershell-scripts/winrm-https/CA-APPROACH-GUIDE.md
cproudlock 96cb1dd946 Remove all emojis from markdown documentation 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 11:03:45 -05:00

450 lines
16 KiB
Markdown
Raw Blame History

# Certificate Authority Approach - Complete Workflow
## Overview
Instead of using a wildcard certificate, you create a **Certificate Authority (CA)** and use it to sign individual certificates for each PC. This is more secure and proper.
---
## The Complete Picture
```
┌─────────────────────────────────────────────────────────────────┐
│ ONE-TIME CA SETUP │
└─────────────────────────────────────────────────────────────────┘
1. CREATE CERTIFICATE AUTHORITY (Do Once)
┌────────────────────────────────────┐
│ Run on secure admin computer: │
│ .\Create-CertificateAuthority.ps1 │
└────────────────────────────────────┘
├─► Creates: Shopfloor-WinRM-CA-20251017.pfx (PRIVATE KEY - KEEP SECURE!)
└─► Creates: Shopfloor-WinRM-CA-20251017.cer (PUBLIC CERT - DISTRIBUTE)
2. SIGN CERTIFICATES FOR ALL 175 PCs (Do Once)
┌────────────────────────────────────────────────────────────┐
│ Run on secure admin computer: │
│ .\Sign-BulkPCCertificates.ps1 \ │
│ -HostnameFile shopfloor-hostnames.txt \ │
│ -CAPfxPath "Shopfloor-WinRM-CA-20251017.pfx" │
└────────────────────────────────────────────────────────────┘
├─► Creates: G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx
├─► Creates: G1JJVH63ESF-logon.ds.ge.com-20251017.pfx
├─► Creates: G1JJXH63ESF-logon.ds.ge.com-20251017.pfx
└─► Creates: ... (175 individual certificates)
3. INSTALL CA ON YOUR MANAGEMENT COMPUTER (Do Once Per Computer)
┌────────────────────────────────────────────────────────────┐
│ Run on YOUR computer (H2PRFM94): │
│ Import-Certificate \ │
│ -FilePath "Shopfloor-WinRM-CA-20251017.cer" \ │
│ -CertStoreLocation Cert:\LocalMachine\Root │
└────────────────────────────────────────────────────────────┘
└─► YOUR computer now trusts ALL certificates signed by this CA!
┌─────────────────────────────────────────────────────────────────┐
│ DEPLOY TO EACH SHOPFLOOR PC │
└─────────────────────────────────────────────────────────────────┘
4. DEPLOY TO EACH PC (Do for Each of 175 PCs)
PC: G9KN7PZ3ESF
┌────────────────────────────────────────────────────────────┐
│ Copy to PC: │
│ G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx │
│ │
│ Import on PC: │
│ Import-PfxCertificate \ │
│ -FilePath "G9KN7PZ3ESF-logon.ds.ge.com.pfx" \ │
│ -CertStoreLocation Cert:\LocalMachine\My \ │
│ -Password $pass │
│ │
│ Configure WinRM: │
│ .\Setup-WinRM-HTTPS.ps1 \ │
│ -CertificateThumbprint "ABC123..." \ │
│ -Domain "logon.ds.ge.com" │
└────────────────────────────────────────────────────────────┘
└─► PC has certificate: CN=g9kn7pz3esf.logon.ds.ge.com
Signed by: Shopfloor WinRM CA
┌─────────────────────────────────────────────────────────────────┐
│ CONNECTING FROM YOUR COMPUTER │
└─────────────────────────────────────────────────────────────────┘
5. CONNECT FROM YOUR COMPUTER (No Special Options Needed!)
┌────────────────────────────────────────────────────────────┐
│ On YOUR computer (H2PRFM94): │
│ │
│ # No -SessionOption needed! │
│ Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com \ │
│ -UseSSL -Port 5986 │
│ │
│ # Interactive session - just works! │
│ $cred = Get-Credential │
│ Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com\│
│ -Credential $cred -UseSSL -Port 5986 │
└────────────────────────────────────────────────────────────┘
└─► WORKS! No certificate errors!
Why? Because YOUR computer trusts the CA,
and the PC's certificate is signed by that CA.
```
---
## Why This Works
### Without CA (Current Wildcard Approach):
```
Your Computer Remote PC
│ │
├─ Tries to connect ────────────────►│
│ │
│◄─── Presents certificate ───────────┤
│ CN=*.logon.ds.ge.com │
│ Self-signed (untrusted) │
│ │
├─ ERROR: Untrusted certificate │
│ │
└─ Must use -SessionOption
to skip validation
```
### With CA (New Approach):
```
Your Computer Remote PC
│ │
│ Has CA installed │ Has individual cert
│ Trusts: Shopfloor WinRM CA │ CN=g9kn7pz3esf.logon.ds.ge.com
│ │ Signed by: Shopfloor WinRM CA
│ │
├─ Tries to connect ────────────────►│
│ │
│◄─── Presents certificate ───────────┤
│ CN=g9kn7pz3esf.logon.ds.ge.com │
│ Signed by: Shopfloor WinRM CA │
│ │
├─ Checks issuer: Shopfloor WinRM CA │
├─ Do I trust this issuer? │
├─ YES! (CA is in Trusted Root) │
├─ Certificate trusted │
│ │
└─ Connection succeeds! ◄─────────────┘
No -SessionOption needed!
```
---
## Step-by-Step: What You'll Do
### PHASE 1: Setup (One Time)
#### Step 1: Create the CA (5 minutes)
```powershell
# On your secure admin computer
.\Create-CertificateAuthority.ps1
# Prompts for CA password
# Creates:
# Shopfloor-WinRM-CA-20251017.pfx (KEEP SECURE!)
# Shopfloor-WinRM-CA-20251017.cer (Install on management PCs)
```
**Files created:**
- `Shopfloor-WinRM-CA-20251017.pfx` - CA private key (SECURE THIS!)
- `Shopfloor-WinRM-CA-20251017.cer` - CA public certificate (distribute to management PCs)
---
#### Step 2: Sign All 175 PC Certificates (10 minutes)
```powershell
# On your secure admin computer
$caPass = ConvertTo-SecureString "YourCAPassword" -AsPlainText -Force
$certPass = ConvertTo-SecureString "PCCertPassword123" -AsPlainText -Force
.\Sign-BulkPCCertificates.ps1 `
-HostnameFile shopfloor-hostnames.txt `
-CAPfxPath "Shopfloor-WinRM-CA-20251017.pfx" `
-CAPassword $caPass `
-CertificatePassword $certPass `
-Domain "logon.ds.ge.com"
```
**Files created:**
- `G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx`
- `G1JJVH63ESF-logon.ds.ge.com-20251017.pfx`
- `G1JJXH63ESF-logon.ds.ge.com-20251017.pfx`
- ... (175 total, one per PC)
---
#### Step 3: Install CA on Your Computer (2 minutes)
```powershell
# On YOUR computer (H2PRFM94) - Run as Administrator
Import-Certificate `
-FilePath "C:\path\to\Shopfloor-WinRM-CA-20251017.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
```
**Result:** Your computer now trusts ALL certificates signed by this CA.
---
### PHASE 2: Deploy to PCs (Repeat for Each PC)
#### Step 4: Deploy to First PC (Test)
```powershell
# Copy certificate to PC
Copy-Item "G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" `
-Destination "\\G9KN7PZ3ESF\C$\Temp\"
# On the PC (G9KN7PZ3ESF), run as Administrator:
$certPass = ConvertTo-SecureString "PCCertPassword123" -AsPlainText -Force
$cert = Import-PfxCertificate `
-FilePath "C:\Temp\G9KN7PZ3ESF-logon.ds.ge.com-20251017.pfx" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $certPass
# Configure WinRM with this certificate
.\Setup-WinRM-HTTPS.ps1 `
-CertificateThumbprint $cert.Thumbprint `
-Domain "logon.ds.ge.com"
```
---
### PHASE 3: Test Connection
#### Step 5: Connect from Your Computer
```powershell
# On YOUR computer (H2PRFM94)
# Test basic connectivity - NO -SessionOption needed!
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Works! No certificate errors!
# Get credentials
$cred = Get-Credential
# Interactive session - NO -SessionOption needed!
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# Connected! No certificate warnings!
# Run remote command
Invoke-Command -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-ScriptBlock { hostname }
# Returns: G9KN7PZ3ESF
```
**The key difference:** No more `-SessionOption $sessionOption`! The certificates are properly trusted.
---
## Comparison: Before vs After
### Before (Wildcard Certificate):
```powershell
# Had to skip certificate validation
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
# Every connection needed this:
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986 `
-SessionOption $sessionOption # ← Required!
```
**Problems:**
- Certificate validation bypassed (insecure)
- Same certificate on all 175 PCs
- If compromised, affects all PCs
- Certificate CN mismatch errors
---
### After (CA-Signed Individual Certificates):
```powershell
# Clean, simple connection
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
# That's it! No -SessionOption needed!
```
**Benefits:**
- Proper certificate validation (secure)
- Each PC has its own certificate
- If one compromised, only affects one PC
- Proper hostname in certificate (no CN mismatch)
- Easy to revoke individual certificates
- Professional enterprise approach
---
## What Gets Deployed Where
### Your Management Computer (H2PRFM94):
```
Cert:\LocalMachine\Root\
└─ Shopfloor WinRM CA ← CA public certificate ONLY
(No private key)
```
### Each Shopfloor PC:
```
Cert:\LocalMachine\My\
└─ CN=g9kn7pz3esf.logon.ds.ge.com ← Individual certificate
Issued by: Shopfloor WinRM CA
(Has private key for this PC only)
```
### Secure Admin Computer (Where You Create Certs):
```
Shopfloor-WinRM-CA-20251017.pfx ← CA PRIVATE KEY (SECURE!)
G9KN7PZ3ESF-logon.ds.ge.com.pfx ← PC certificates (175 files)
G1JJVH63ESF-logon.ds.ge.com.pfx
... (175 total)
```
---
## Security Advantages
### Wildcard Certificate Approach:
```
One certificate compromised = All 175 PCs compromised
Must revoke and redeploy to ALL PCs
```
### CA Approach:
```
One certificate compromised = Only that PC compromised
Revoke individual certificate
Only redeploy to that one PC
Other 174 PCs unaffected
```
---
## Real-World Example
### Your First Connection:
1. **Install CA on your computer** (one time):
```powershell
Import-Certificate -FilePath "Shopfloor-WinRM-CA.cer" `
-CertStoreLocation Cert:\LocalMachine\Root
```
2. **Deploy certificate to G9KN7PZ3ESF** (one time per PC):
```powershell
# Copy and import certificate on the PC
# Configure WinRM
```
3. **Connect from your computer** (anytime):
```powershell
# Simple, clean, secure
$cred = Get-Credential
Enter-PSSession -ComputerName g9kn7pz3esf.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
```
4. **Result**:
```
[g9kn7pz3esf.logon.ds.ge.com]: PS C:\>
```
**No certificate errors! It just works!**
---
## Certificate Chain Verification
When you connect, Windows automatically validates:
```
1. PC presents certificate: CN=g9kn7pz3esf.logon.ds.ge.com
2. Check issuer: Shopfloor WinRM CA
3. Is "Shopfloor WinRM CA" in Trusted Root?
4. YES! Found in Cert:\LocalMachine\Root
5. Certificate trusted
6. Connection allowed
```
---
## Summary: What Changes for You
### Current Workflow (Wildcard):
1. Connect to PC
2. Get certificate error
3. Use `-SessionOption` to bypass validation
4. Warning: Certificate not validated
### New Workflow (CA):
1. Connect to PC
2. Certificate automatically validated
3. Connection succeeds
4. No warnings, fully secure
**It's actually EASIER and MORE SECURE!**
---
## Quick Start Commands
```powershell
# 1. Create CA (one time)
.\Create-CertificateAuthority.ps1
# 2. Sign all PC certificates (one time)
.\Sign-BulkPCCertificates.ps1 -HostnameFile shopfloor-hostnames.txt
# 3. Install CA on your computer (one time)
Import-Certificate -FilePath "CA.cer" -CertStoreLocation Cert:\LocalMachine\Root
# 4. Deploy to PCs (repeat for each)
# (Copy PFX, import, configure WinRM)
# 5. Connect (anytime) - SIMPLE!
$cred = Get-Credential
Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com -Credential $cred -UseSSL -Port 5986
```
---
## Questions?
**Q: Do I need to install anything on each PC besides its own certificate?**
A: No! Each PC only gets its own certificate. The CA certificate is only installed on management computers.
**Q: What if I add more PCs later?**
A: Use `Sign-PCCertificate.ps1` to sign a certificate for the new PC. Any computer that trusts the CA will automatically trust the new certificate.
**Q: Can multiple people manage these PCs?**
A: Yes! Install the CA certificate on each management computer. All will trust the PC certificates.
**Q: What happens when certificates expire (2 years)?**
A: Sign new certificates using the same CA. The CA is valid for 10 years.
**Q: Is this really better than the wildcard certificate?**
A: YES! It's more secure, more professional, and actually easier to use because you don't need `-SessionOption` anymore.
---
**Bottom line:** You'll have cleaner, simpler, more secure connections with NO certificate warnings or bypasses!
Reference in New Issue View Git Blame Copy Permalink