Perform the following operations in the Microsoft IIS web server.

Checking basic authentication support

Ensure the Microsoft Windows Remote Management WinRM service supports basic authentication, which is the only authentication the IIS plugin for Certificate Manager supports. 

Future releases will support other authentication methods.

To check if the WinRM service supports basic authentication

  1. Launch PowerShell in the Microsoft Windows server.

  2. Run the following command. 

    winrm get winrm/config/client/auth

  3. Check the command output includes the "Basic = true" line. For example: 

    Auth
    Basic = true
    Digest = true
    Kerberos = true
    Negotiate = true
    Certificate = true
    CredSSP = false

Configuring HTTPS for WinRM

Run the following command to check if HTTPS is enabled for the WinRM (Windows Remote Management) protocol.

winrm get winrm/config/Listener?Address=*+Transport=HTTPS

If the command raises an error, configure HTTPS for WinRM as explained below.

To configure HTTPS for WinRM

  1. Issue a certificate for WinRM. 

    Self-signed certificates will work for testing purposes but will fail certificate validation.

  2. Launch PowerShell in the Microsoft Windows server.

  3.  Import a .pfx or PKCS#12 file containing the issued new certificate, the certificate chain, and the private key for WinRM. For example:

    Import-PfxCertificate -FilePath "C:\Path\To\winrm.pfx" -CertStoreLocation Cert:\LocalMachine\My

  4. Delete the existing configuration, if any.

    winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

  5. Set the WinRM new certificate. For example:

    winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="examplehost"; CertificateThumbprint="d6013136de9f9d18244ac3bca392ce206d57fe38"}'