-
Notifications
You must be signed in to change notification settings - Fork 63
/
SetupWinRMCertificateAuth.ps1
36 lines (28 loc) · 1.69 KB
/
SetupWinRMCertificateAuth.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ErrorActionPreference = "Stop"
$username = "Administrator"
$password = "Passw0rd"
$client_cert_path = "$(pwd)\cert.pem"
$client_ca_cert_path = "$(pwd)\ca.pem"
# Enable certificate authentication
& winrm set winrm/config/service/auth `@`{Certificate=`"true`"`}
# Import the client cert's CA cert
$cacert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($client_ca_cert_path)
$castore = New-Object System.Security.Cryptography.X509Certificates.X509Store(
[System.Security.Cryptography.X509Certificates.StoreName]::Root,
[System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$castore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$castore.Add($cacert)
# Import the client cert into TrustedPeople
$clientcert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($client_cert_path)
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
[System.Security.Cryptography.X509Certificates.StoreName]::TrustedPeople,
[System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Add($clientcert)
$secure_password = ConvertTo-SecureString $password -AsPlainText -Force
# For domain auth just replace $ENV:COMPUTERNAME with the domain name
$cred = New-Object System.Management.Automation.PSCredential "$ENV:COMPUTERNAME\$username", $secure_password
# Get the UPN from the cert extension
$clientcert.Extensions[1].Format($false) -match ".*=(.*)"
$upn = $Matches[1]
New-Item -Path WSMan:\localhost\ClientCertificate -Issuer $cacert.Thumbprint -Subject $upn -Uri * -Credential $cred -Force