WinRm - 由于SSL证书不正确,无法在HTTPS上创建WinRM侦听器 [英] WinRm - Cannot create a WinRM listener on HTTPS due to incorrect SSL certificate
问题描述
我想通过https传输使用WinRM。我已经购买了一个Comodo证书(错误声明我不能使用自签名证书),主题与我的Windows 10计算机(未加入域名)中的FQDN(系统中的完整计算机名称)匹配:
I want to use WinRM with https transport. I've bought a Comodo certificate (the error states I cannot use a self-signed certificate) with the Subject matching my FQDN (Full computer name in System) of my Windows 10 computer (not domain joined):
CN = my.domain.net
OU = PositiveSSL
OU = Domain Control Validated
尝试使用以下命令创建https监听器时:
When trying to create a https listener with the following command:
WintRm quickconfig -transport:https
WintRm quickconfig -transport:https
我收到错误消息:
错误号:-2144108267 0x80338115
无法在HTTPS上创建WinRM侦听器,因为此计算机没有相应的证书。要用于SSL,证书必须具有与主机名匹配的CN,适用于服务器身份验证,并且不能过期,撤销或自签名。
Error number: -2144108267 0x80338115 Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
我在几个商店(本地机器/个人和受信任的根证书颁发机构)中安装了(双击* .crt文件)证书,但WinRM无法创建https监听器。 http监听器工作正常。
I've installed (doubleclick the *.crt file) the certificate in several stores (local machine / personal and Trusted Root Certification Authorities) but WinRM fails to create the https listener. The http listener is working OK.
一些额外信息:使用certreq尝试安装 *。cer 证书,我收到错误:
Some extra info: When using certreq to try to install the *.cer certificate, I get the error:
找不到元素。 0x80070490(WIN32:1168 ERROR_NOT_FOUND)
Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
如何让WinRM使用https?
How do I get WinRM working with https?
推荐答案
以下是我解决此问题的方法:
Here is how I solved this issue:
- 使用DigiCert创建SSL CSR来自digicert.com的Windows证书实用程序
- 使用generate CSR来申请证书。我使用了versio.nl,但我猜有很多CA在那里
- 通过双击安装证书
- 转到用户证书管理员
- 右键单击证书(我应该在个人商店中)并将其导出
- 按照向导确保导出私钥 - 在本地计算机证书商店中安装新导出的证书(将密钥标记为可导出并包括所有扩展属性)
- create a SSL CSR using DigiCert Certificate Utility for Windows from digicert.com
- use the generate CSR to request a certificate. I used versio.nl but I'll guess there are a lot of CA's out there
- Install the certificate by double clicking it
- go to the certificate manager for user
- rightclick the certificate (it should me in the personal store) and export it - follow the wizard and be sure to export the private key
- install the newly exported certificate (mark the key as exportable and include all extended properties) in the local computer certificate store
使用管理员privilidges打开一个控制台(cmd)并输入:
Open an console (cmd) with administrator privilidges and type:
winrm create winrm / config / Listener?Address = * + Transport = HTTPS
@ {Hostname =server.fqdn; CertificateThumbprint =YOURCERTIFICATETHUMPPRINT}
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="server.fqdn";CertificateThumbprint="YOURCERTIFICATETHUMPPRINT"}
这对我有用。有些事情要检查它是否不起作用:
This worked for me. Some things to check if it is not working:
- 证书仍然有效(检查日期范围)
- 检查证书属性Subject是否具有包含计算机FQDN的CN值
- 检查是否安装了侦听器(winrm e winrm / config / listener)
我花了很多时间来解决这个问题。我希望它会帮助你们中的一些人。
I took me a lot of hours to figure this out. I hope it will help some of you out there.
这篇关于WinRm - 由于SSL证书不正确,无法在HTTPS上创建WinRM侦听器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
