-
Notifications
You must be signed in to change notification settings - Fork 54
/
winrm_enable_ca_cert.yml
49 lines (43 loc) · 2.13 KB
/
winrm_enable_ca_cert.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
- name: winrm enable cert
hosts: all
vars:
# make sure you're using HTTP (default port 5985) as we need to delete HTTPS and replace with HTTPS using our cert
# you can start using HTTPS (port 5986) with your newly imported cert after running this playbook
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_transport: credssp
ansible_winrm_server_cert_validation: ignore
tasks:
# we generate a self-signed cert as an example, you can remove this task if you have an existing certificate
- name: generate a new self-signed cert
win_shell: |
$store_location = 'cert:\localmachine\my'
$cert = New-SelfSignedCertificate -certstorelocation $store_location -dnsname {{ ansible_fqdn }}
$pwd = ConvertTo-SecureString -String "{{ ansible_password }}" -Force -AsPlainText
$path = $store_location + '{{"\\"}}' + $cert.thumbprint
Export-PfxCertificate -cert $path -FilePath C:\winrm_cert.p12 -Password $pwd
# uncomment the task below and update the src in this task if you want to copy and import and existing cert
#- name: copy CA cert
# win_copy:
# src: cert.pfx
# dest: C:\winrm_cert.p12
- name: import cert
win_certificate_store:
path: C:\winrm_cert.p12
state: present
store_location: LocalMachine
store_name: My
password: "{{ ansible_password }}" # here you can update the password accordingly or remove if you don't have
register: winrm_ca_cert
- debug:
msg: "{{ winrm_ca_cert.thumbprints[0] }}"
- name: delete winrm HTTPS listener
win_shell: winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
register: delete_winrm_https_listener
failed_when:
- delete_winrm_https_listener.rc != 0
- ('The service cannot find the resource' not in delete_winrm_https_listener.stderr)
changed_when: delete_winrm_https_listener.rc == 0
- name: enable winrm to use the CA cert
win_shell: |
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="{{ ansible_fqdn }}"; CertificateThumbprint="{{ winrm_ca_cert.thumbprints[0] }}"}'