David Norman 7963279fc2 Generate SHA256 signed certificates for WinRM (#36668) ... * Generate SHA256 signed certificates Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption. Some example SHA-1 deprecations include: - 4010323 - https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate. The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN. I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter. * Keep WinRM cert key length at 4096. * Remove WinRM cert exportpolicy setting.		2018-04-20 09:01:48 +10:00
..
ConfigureRemotingForAnsible.ps1	Generate SHA256 signed certificates for WinRM (#36668)	2018-04-20 09:01:48 +10:00
upgrade_to_ps3.ps1	Found issue on different System architecture.	2014-11-04 17:38:08 +01:00
uptime.py	Update example uptime script to provide correct type for explicit individual hosts (#34740)	2018-01-16 11:39:15 -06:00