Questions about using winrm over SSL ....
33 views
Skip to first unread message
Mike Leone
Apr 30, 2026, 10:47:55 AM (12 days ago) Apr 30
to NTSysAdmin
So we use a Nutanix environment, and they have their own "Guest Tools" (basically an agent for them). Now, you can push these tools to VMs from their Prism Central app. However, in order for it to do that, it needs to make a secure connection, and it says it does that with WinRM over SSL.
Now, we configure winrm via GPO, and that is set up. But that's not over SSL ...
PS C:\Users\mjl-priv> winrm e winrm/config/listener
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.64.124.152, ::1, fe80::2841:615b:1dce:d6b9%13
PS C:\Users\mjl-priv> netstat -na | findstr 598
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING
TCP [::]:5985 [::]:0 LISTENING
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.64.124.152, ::1, fe80::2841:615b:1dce:d6b9%13
PS C:\Users\mjl-priv> netstat -na | findstr 598
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING
TCP [::]:5985 [::]:0 LISTENING
In looking at how to listen via SSL, MS says this:
WinRM HTTPS requires a local computer Server Authentication certificate with a CN matching the hostname to be installed. The certificate mustn't be expired, revoked, or self-signed.
We have our own CA, and it's pushed via GPO to all domain members, so it would be valid. But does the above mean I have to have each workstation have it's own machine cert, issued by my CA?
1. Anyone using WinRM over SSL?
2. If so, how? Are you issuing each computer it's own cert? And how are you accomplishing that?
I guess I'm just not seeing how to easily accomplish this. I can get around it by install the Guest Tools manually when I provision a new VM. But I wouldn't mind being able to do winrm over SSL, as long as it's not ruinously hard. LOL
What are your experiences, if any, with winrm over SSL? Am I missing something simple here?
Thanks
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
Michael B. Smith
Apr 30, 2026, 11:08:34 AM (12 days ago) Apr 30
to ntsys...@googlegroups.com
Madness.
WinRM does session-level encryption using Kerberos in a domain environment unless you force it to use “basic” authentication and specifically set “AllowUnencrypted = true”.
Adding the SSL layer just adds overhead for extremely little benefit.
But to answer your question – you generate a SSL key for computers the same way you do it for users. Via GPO. Just in the computer section of the policy instead of the user section of the policy. There is a default Computer template in your CA, although I strongly recommend you modify it and turn off the “supply subject in request” and turn on “acquire subject from AD”.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgLH%2BznzAU9%2BFt2UOHHFJDjpL%2B5hxFNFdrwHQQSMSkarg%40mail.gmail.com.
Mike Leone
Apr 30, 2026, 11:16:20 AM (12 days ago) Apr 30
to ntsys...@googlegroups.com
On Thu, Apr 30, 2026 at 11:08 AM Michael B. Smith <mic...@smithcons.com> wrote:
>
> Madness.
>
>
>
> WinRM does session-level encryption using Kerberos in a domain environment unless you force it to use “basic” authentication and specifically set “AllowUnencrypted = true”.
>
>
>
> Adding the SSL layer just adds overhead for extremely little benefit.
>
>
>
> But to answer your question – you generate a SSL key for computers the same way you do it for users. Via GPO. Just in the computer section of the policy instead of the user section of the policy.
I don't do it that (yet), for users or computers, at the moment.
>
> Madness.
>
>
>
> WinRM does session-level encryption using Kerberos in a domain environment unless you force it to use “basic” authentication and specifically set “AllowUnencrypted = true”.
>
>
>
> Adding the SSL layer just adds overhead for extremely little benefit.
>
>
>
> But to answer your question – you generate a SSL key for computers the same way you do it for users. Via GPO. Just in the computer section of the policy instead of the user section of the policy.
(well, I've issued computer certs before, usually only via a cert
request, tho). I'll have to look that up ...
>There is a default Computer template in your CA, although I strongly recommend you modify it and turn off the “supply subject in request” and turn on “acquire subject from AD”.
OK, thanks. Sounds like more trouble than it's worth ... having said
that, my co-worker who is our main Ivanti admin (the new name for
LANDesk) just said something similar, "I am getting the error that
WinRM cannot complete the operation on the script I'm trying to run."
.... That's all I know about that, at the moment, so maybe it's not
related, I dunno, I haven't seen the actual error yet ...
Kurt Buff
Apr 30, 2026, 4:28:33 PM (12 days ago) Apr 30
to ntsys...@googlegroups.com
Adding certs for computers and users is as easy as it gets. Copy the
template and adjust as needed, configure the GPO, and you're done.
But MBS is correct - requiring SSL for WinRM is silly.
Kurt
> To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjLQPswtU-GPxs0F3T%3DSRPvxvHoXGyYp8sXGRBPwyFXfQ%40mail.gmail.com.
template and adjust as needed, configure the GPO, and you're done.
But MBS is correct - requiring SSL for WinRM is silly.
Kurt
Reply all
Reply to author
Forward
0 new messages