This PowerShell script can be used to install an HTTPS WSMan Listener on a computer with a valid certificate.
2015-12-06: Added logging support. 2015-09-25: Initial Version.
This script is designed to be called from a Startup/Logon PowerShell GPO. The Distinguished Name of the certificate issuer must be passed to the script. The script can be run outside of a GPO if required.
The computer MUST have a valid certificate with the following properties:
If a certificate can't be found that matches the above properties then the WSMan HTTPS listener will not be installed. Please ensure that at least one computer certificate on each computer matches these properties - it is recommended that you configure a custom autoentrollment computer certificate to ensure the Subject Name and Alternate Subject names are automatically populated.
If a WSMan HTTPS listener already exists on this computer then the script will not execute which allows the script to be set to always run at computer start up.
The WSMan HTTPS Listener is installed to port 5986 by default, but this can be changed by specifying the port parameter.
Normally, the script will first look for a Server Authentication certificate that has a DNS name matching the FQDN of the computer, and if one can't be found it will look for one using only the computer name. The script can be restricted so that it will only look for FQDN or Computer name rather than both by passing the
Normally this script will be used in conjunction with a Computer Certificate Autoenrollment GPO. If this is the case you should ensure that the Autoenrollment Computer Certificate Template that is being used to issue server certificates should generate a valid Subject containing the computer DNS name (and optionally Alternate Subject as well).
The full Distinguished Name of the Issing CA that will have issued the certificate to be used for this HTTPS WSMan Listener. It is a required parameter.
The allowed DNS Name types that will be used to find a matching certificate. Default: Both
The certificate used must also have an alternate subject name containing the DNS name found in the subject as well. Default: False
This is the port the HTTPS WSMan Listener will be installed onto. Default: 5986
This optional parameter contains a full path and file name to the log file to create. If this parameter is not set then a log file will not be created. Default: None
Install a WSMan HTTPS listener from an appropriate machine certificate issued by 'CN=LABBUILDER.COM Issuing CA, DC=LABBUILDER, DC=COM':
Install-WSManHttpsListener -Issuer 'CN=CONTOSO.COM Issuing CA, DC=CONTOSO, DC=COM'Install a WSMan HTTPS listener from an appropriate machine certificate issued by 'CN=LABBUILDER.COM Issuing CA, DC=LABBUILDER, DC=COM' on port 7000:
Install-WSManHttpsListener -Issuer 'CN=CONTOSO.COM Issuing CA, DC=CONTOSO, DC=COM' -Port 7000See:
Get-Help .\Install-WSManHttpsListener.ps1 -FullFor more information.
Copyright 2015 Daniel Scott-Raynsford
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.