Downloads

The following GreenLight article explains briefly what kind of steps you have to perform in order to use SSL (https via tcp 5986) for PowerShell.

→ example is based for using a self-signed certificate on the Windows Host

Configuration

Enabling RemotePowerShell (unencrypted communication should not be allowed in this UseCase)

  • Open PowerShell on Windows Host and execute the following 4 commands
  • Enable-PSRemoting –force
  • set-item -force WSMan:\localhost\Service\Auth\Basic $true
  • set-item -force WSMan:\localhost\Client\AllowUnencrypted $false
  • set-item -force WSMan:\localhost\Service\AllowUnencrypted $false


Check if there are already Certificates in the Certificate Store (open Powershell on Host)

  • Set-Location Cert:\LocalMachine\My
  • Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint -AutoSize

you should get a list of certificates back (otherwise the list is just empty)


Import Certificate (with PowerShell) - CER

  • Import-Certificate -FilePath "<path to certificate>" -CertStoreLocation Cert:\LocalMachine\My -Verbose

you should get something like this


For PFX, use the command

Import-PfxCertificate -FilePath "<path to pfx>" -CertStoreLocation Cert:\LocalMachine\My -Verbose


Create Self Signed Certificate

  • New-SelfSignedCertificate -DnsName <hostname> -CertStoreLocation Cert:\LocalMachine\My



Now we have imported or created a selfsigned certificate which can be used for the Remote PS Call


Next Steps explain how you connect the certificate with the WS-MAN remoting


Copy  the correct Thumbprint from Store

  • Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint -AutoSize
  • copy the ThumbPrint you want to use


Open command prompt (with cmd)

    • winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<hostname>"; CertificateThumbprint="<your thumbprint >"}


This binds now the certificate with HTTPS on the Host

Please adjust the Address and Hostname parameter based on your needs! If you use a Wildcard SSL certificated, make sure that hostname is equal the CN name in the certificate


In case a listener with the same Address and HTTPS is configured, please make sure you clean it up first

You can remove an existing entry (for Address=* and Transport HTTPS) by just using

  • winrm delete winrm/config/Listener?Address=*+Transport=HTTPS



Inbound Firewall Setting

Make sure that Inbound connection to TCP Port 5986 is allowed on the Windows Host !


Last Step is the GreenLight Config

The Only thing which you need to do is to configure the right Authentication Profile

Use https as the protocol and Port 5986


Test the Connection ....If everything is correct, you should get a "Success Message" back


Assign this Authentication Profile now to an Windows Host within GreenLight



Contact Support

Visit panagenda GreenLight on our website!