Skip to content

winrm self signed certificate

Jump to bottom Edit New page
Klaus Kämpf edited this page Jan 3, 2013 · 1 revision

Here are the steps for someone connecting from Linux to Windows WinRM Service using WSMAN over https.

  1. From this http://www.akadia.com/services/ssh_test_certificate.html link use the First FOUR Steps only.

  2. Verify the generated Self-Signed Certificate

    #openssl verify server.crt

    The output will be as shown below:- server.crt:/C=US/ST=California/L=San Jose/O= ABCD Corporation/OU=Engineering/CN=HostName Or IPAddress/emailAddress= error 18 at 0 depth lookup:self signed certificate OK Do not worry of "error 18 at 0 depth lookup:self signed certificate". It basically says that this is a self-signed certificate.

  3. Convert the certificate from "crt" to "pkcs12" format

    For Windows Server, the certificate should be in pkcs12 format. The command to convert is as follows:- openssl pkcs12 -export -in server.crt -inkey server.key -out hostname.pfx

    It will ask for the following:- Enter Export Password: Verifying - Enter Export Password:

    Please enter the password and remember as this is required while importing the certificate on Windows Server and Client.

  4. Finally, make a copy of server.crt cp server.crt hostname.pem In Linux, the certificate should be ".pem", since .crt and .pem are same, so there is no need to use openssl command to convert from .crt to .pem, just make a copy.

  5. Installing the Certificate on Windows Server:- i. You can install using MMC on Windows. If you need instructions for this I can send you. ii. After Installing on Windows, right click on the certificate and select properties. A dialog box appears and select "Enable only the following purposes" Enable "Server Authentication" and disable everything else.

    Note:- In openssl there should be command to create a self-signed certificate for Server Authentication only that I do not know yet. If this can be done using openssl, then there is no need for (ii).

  6. Installing the Certificate on Linux Client:- Copy hostname.pem from Step 4 to /etc/ssl/certs on SuSE Linux

    1. Go to /etc/ssl/certs on SuSE Linux

    2. Create a Hash value by running the following command:- openssl x509 -noout -hash -in hostname.pem Output it will print a value such as below: 100940db

    3. Create a symbolic link to the hash value by running the following command:- ln -s hostname.pem 100940db.0

    4. After configuring Windows WinRM Service, the following command can be used to verify if the Certificate is installed correctly on Linux.

      curl -v --capath /etc/ssl/certs https://Hostname or IPAddress:5986/wsman

      If it fails it will provide appropriate error.

Add a custom footer
Add a custom sidebar
Clone this wiki locally