ansible/examples
David Norman 7963279fc2 Generate SHA256 signed certificates for WinRM (#36668)
* Generate SHA256 signed certificates

Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption.

Some example SHA-1 deprecations include:
- https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4010323
- https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate.

The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN.

I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter.

* Keep WinRM cert key length at 4096.

* Remove WinRM cert exportpolicy setting.
2018-04-20 09:01:48 +10:00
..
playbooks Wrong target for link? 2013-07-24 15:36:21 -07:00
scripts Generate SHA256 signed certificates for WinRM (#36668) 2018-04-20 09:01:48 +10:00
ansible.cfg Implement plugin filtering 2018-01-22 16:54:53 -08:00
DOCUMENTATION.yml Link to module developing_modules_documenting.html 2017-04-03 17:17:12 +01:00
hosts comment examples in default hosts file 2015-12-04 16:24:19 -05:00
hosts.yaml minor text fixes 2017-10-23 11:18:28 -04:00
hosts.yml linked cause people forget yaml and yml exist 2016-09-08 14:18:10 -04:00
plugin_filters.yml Implement plugin filtering 2018-01-22 16:54:53 -08:00