$hostName = $env:COMPUTERNAME $hostIP=(Get-NetAdapter| Get-NetIPAddress).IPv4Address|Out-String $srvCert = New-SelfSignedCertificate -DnsName $hostName,$hostIP -CertStoreLocation Cert:\LocalMachine\My $srvCert Get-ChildItem wsman:\localhost\Listener Get-ChildItem wsman:\localhost\Listener\ | Where-Object -Property Keys -like 'Transport=HTTP*' | Remove-Item -Recurse New-Item -Path WSMan:\localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbPrint $srvCert.Thumbprint -Force New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP Restart-Service WinRM WinRM e winrm/config/listener Export-Certificate -Cert $srvCert -FilePath c:\PS\PsRemoting-Cert.cer dir WSMan:\localhost\Client | ? Name -eq AllowUnencrypted winrm set winrm/config/client '@{AllowUnencrypted="false"}' Import-Certificate -FilePath c:\PS\PsRemoting-Cert.cer -CertStoreLocation Cert:\LocalMachine\root\ $SessionOption = New-PSSessionOption -SkipCNCheck Enter-PSSession -Computername 192.168.13.4 -UseSSL -Credential kbuldogov -SessionOption $SessionOption При подключении по IP адресу если не использовать опцию SkipCNCheck появляется ошибка T he SSL certificate contains a common name (CN) that does not match the hostname . https://github.com/ansible/ansible-documentation/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $url = "https://raw.githubusercontent.com/ansible/ansible-documentation/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" $file = "$env:temp\ConfigureRemotingForAnsible.ps1" (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) powershell.exe -ExecutionPolicy ByPass -File $file [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $url = "https://raw.githubusercontent.com/jborean93/ansible-windows/master/scripts/Upgrade-PowerShell.ps1" $file = "$env:temp\Upgrade-PowerShell.ps1" $username = "Administrator" $password = "Password" (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force &$file -Version 5.1 -Username $username -Password $password -Verbose $selector_set = @{ Address = "*" Transport = "HTTPS" } $value_set = @{ CertificateThumbprint = "E6CDAA82EEAF2ECE8546E05DB7F3E01AA47D76CE" } New-WSManInstance -ResourceURI "winrm/config/Listener" -SelectorSet $selector_set -ValueSet $value_set ~~~~~~~~~~~~~~~~~~~~ # configure $cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName $env:COMPUTERNAME Enable-PSRemoting -SkipNetworkProfileCheck -Force New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $cert.Thumbprint –Force New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP # connect Enter-PSSession -ComputerName {X.X.X.X} -Credential (Get-Credential) -SessionOption (New-PsSessionOption -SkipCACheck -SkipCNCheck) -UseSSL ~~~~~~~~~~~~~~~~~~~~ ``````````````````````````````` winrm quickconfig -quiet winrm set winrm/config/service/auth @{Basic="true"} $test='winrm set winrm/config/service/auth `@`{Basic=`"true`"`}' echo $test invoke-expression $test winrm set winrm/config/service @{AllowUnencrypted="true"} $test2='winrm set winrm/config/service `@`{AllowUnencrypted=`"true`"`}' echo $test2 invoke-expression $test2 netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow netsh advfirewall firewall add rule name="WinRM-HTTPS" dir=in localport=5986 protocol=TCP action=allow netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow Set-NetConnectionProfile -NetworkCategory Private Set-Service -Name "WinRM" -StartupType Automatic Start-Service -Name "WinRM" #### New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName ("machinename.subdomain.company.com", "machinename") -NotAfter (get-date).AddYears(5) -Provider "Microsoft RSA SChannel Cryptographic Provider" -KeyLength 2048 ``` New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName ("$env:COMPUTERNAME.unison.lan", "$env:COMPUTERNAME") -NotAfter (get-date).AddYears(5) -Provider "Microsoft RSA SChannel Cryptographic Provider" -KeyLength 2048 ``` Add the generated certificate by using the Microsoft Management Console. Run mmc.exe. Select File > Add/Remove Snap-in. From the list of available snap-ins, select Certificates and click Add. Select Computer account and click Next. Click Finish. Verify that the certificate is installed in `Console Root > Certificates (Local Computer) > Personal > Certificates` and `Console Root > Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates`. If the certificate is not installed in the Trusted Root Certification Authorities and Personal folders, you must install it manually. Create an HTTPS listener by using the correct thumbprint and host name. The following command line contains example syntax for creating an HTTPS listener. #### `winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="host_name";CertificateThumbprint="certificate_thumbprint"}` ``` $fqdn ="$env:COMPUTERNAME.unison.lan" $certificate="CN="+$fqdn ``` ### $Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match $certificate}).Thumbprint; ### Write-Host -Object "My thumbprint is: $Thumbprint"; ``` $WinrmCreate= 'winrm create winrm/config/Listener?Address=*+Transport=HTTPS `@`{Hostname=`"`'+$fqdn+'`"`;CertificateThumbprint=`"`'+$Thumbprint+'`"`}' $WinrmCreate= 'winrm create winrm/config/Listener?Address=*+Transport=HTTPS `@`{Hostname=`"`'+$env:COMPUTERNAME+'`"`;CertificateThumbprint=`"`'+$Thumbprint+'`"`}' invoke-expression $WinrmCreate ``` Note: Omit the spaces in the certificate thumbprint. Test the connection. The following command line contains example syntax for testing the connection. `winrs -r:https://host_name:port_number -u:user_name -p:password hostname` $WinrmBasicAuth='winrm set winrm/config/service/auth @{Basic="true"}' $WinrmAllowUnencrypt='winrm set winrm/config/service @{AllowUnencrypted="true"}'