WinRM certificate auth is plain simple complex and not recommended to be used. It's the most complex option to set up and has a loads of caveats and downsides that I wouldn't really recommend it's use.
First question would be why am I creating a cert for Ansible on the Linux > server and then creating a SSL cert on the Windows server? > WinRM certificate auth is based on X509 mutual authentication [1]. It's a very enterprise like setup but IMO it's quite difficult to set up properly and then WinRM adds even more complication on top that reduces it's effectiveness. But ultimately it balls down to having both the client and server trust each other which requires both entities to have their own X509 certificate and a private key that backs that cert. These keys are used for; - Windows - This is the certificate that is used by WinRM to back it's https endpoint. It's a server certificate and when used properly it is designed to allow clients who connect to the server the ability to trust it is who it says it is. This cert is required for any auth methods that run on the https endpoint - Ansible - This is the certificate that is used by Ansible to authenticate as a local user on the Windows host. This is purely for WinRM certificate auth. That is why you need to generate 2 certificates, one for the server for it to allow clients to verify it is who it says it is and another for the client (Ansible) to tell the server who it is. So think of the 2nd certificate generated on the Ansible host as something that is unrelated to the cert that is generated by Windows for WinRM. At the heart of this client certificate setup is 2 files - The public X509 certificate with the subject 'CN=username' (ansible_winrm_cert_pem) - The private X509 key for the above certificate, this should only be Ansible controller (ansible_winrm_cert_key_pem) The public key is placed in the Root store so that Windows will trust that it knows the public key sent by Ansible and I believe in a proper CA setup if that key is signed by a known CA authority only the CA authority needs to be in the Root store. It is also placed in the TrustedPeople store as I believe that is required for Windows to trust a cert that is mapped to a local account. Does the Windows Cert need to be installed on the Linux server? > For you to actually take advantage of the https endpoint yes you should be signing the certs used by the WinRM endpoint with a trusted CA and having that CA installed on your Linux server. This allows Ansible to be able to verify the Windows host it is connecting to is actually who it says it is and not just some rogue server pretending to be it and stealing your information. So while using self signed certs will work it's breaking a key cornerstone of TLS and a proper enterprise environment should be using their internal CA setup to sign and distribute the keys to the Windows host. As for the client auth side there is no way to install these certs for use in Ansible as authentication. One of the limitations of the WinRM certificate auth is the fact that you need both the cert and private key as plaintext files on the system. This is a limitation of the underlying Python library we are using and one of the reasons why we don't recommend you use it. In the end I highly recommend you move across to using Kerberos auth as that provides both trust and a way to connect without a password (using keytabs). You also don't need to worry about https endpoints as the message encryption offered by Kerberos is quite strong. For your domain joined servers but for your non domain hosts there really isn't a good way of ensuring trust between the hosts. You could still sign the WinRM certs with a known trusted CA and get your trust that way but this would be a manual process. In the end most people just rely on self signed certs for non-domain hosts as you still get encryption, you just miss the trust aspect. [1] - https://medium.com/sitewards/the-magic-of-tls-x509-and-mutual-authentication-explained-b2162dec4401 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8ee447da-8ee3-4c81-9b64-b93b929fcf3c%40googlegroups.com.
