Configure WINRM for HTTPS
WinRM uses the HTTPS connection type on the Hyper-V server when
you use SSL to connect to the server. The default HTTPS port is 5986.
Follow these steps:
1. Generate
a self-signed certificate for the remote host.
a. In Server
Manager, navigate to Roles, Web Server (IIS), Internet
Information Services, and select the name of the server for which you want
to generate the certificate.
b. In IIS,
open Server Certificates.
c. In Actions,
click Self-Signed Certificate.
d. Define
a certificate name, and then click OK.
The certificate appears in Server Certificates list.
The certificate appears in Server Certificates list.
e. (Optional)
Verify that the certificate exists in the correct certificate store.
§ Navigate
to Start, Run, and execute the following command:
certmgr.msc
§ Navigate
to Trusted Root Certificate Authorities, Certificates.
Verify that the latest certificate appears in the list.
Verify that the latest certificate appears in the list.
2. Enter
the following command to find the thumbprint of the certificate for the remote
host:
Get-childItem cert:\LocalMachine\Root\ | Select-String
-pattern <HOSTNAME>
3. Enter
the following command to create an HTTPS WinRM listener for the remote host
(xendesktop server) with the thumbprint from the previous step:
winrm create
winrm/config/Listener?Address=*+Transport=HTTPS
@{Hostname="<CN>";
CertificateThumbprint="<THUMBPRINT>"}
4. Export
the certificate.
Note: CA
recommends that you export certificates to removable media, such as a floppy
disk or USB flash drive.
a. Click
the Windows Start button.
b. Enter certmgr.msc in
the Search field.
c. Enter
administrator credentials, if prompted.
The Certificate Manager opens.
The Certificate Manager opens.
d. Right-click
the certificate that you want to export, choose All Tasks,
then click Export.
e. Click Next in
the Certificate Export Wizard.
f. Click No, do
not export the private key and then click Next.
g. Select
the Base64 encoded X.509 format, then click Next.
The export process creates a file to store the certificate.
The export process creates a file to store the certificate.
h. Specify
a name and location for the certificate file.
i. Click Finish.
5. Create
a keystore file to connect client side (configuration). This procedure explains
the usage of Java keytool to generate the keystore. The keystore can be
generated from a machine where JRE is installed and available in %PATH%.
a. Enter
the following command:
Keytool -importcert -file
“<CERTIFICATE>” -keystore “<KEYSTORE>.jks”
For CERTIFICATE,
enter the file name of the certificate exported in the previous step.
For KEYSTORE, enter a name for the keystore in the format <path\name>.jks.
For example:
For KEYSTORE, enter a name for the keystore in the format <path\name>.jks.
For example:
keytool -importcert -file
"C:\Test1.cer" -keystore "C:\test.jks”
b. Enter a
password when prompted.
c. Enter Yes when
prompted to trust the certificate.
The keystore is available in the path specified.
The keystore is available in the path specified.
6. Copy
the keystore file to the client machine where the you want to make connection.
7. In the App configuration GUI, edit or create the profile that represents the server:
a. Click
the Use SSL check box and set the Port as 5986.
b Enter
the appropriate information in the Keystore Location and Keystore
Password fields.
c. Click OK.
No comments:
Post a Comment