Using letsencrypt as a CA, a non-admin user automatically requests a new certificate to be used by the winrm https listener once the old one is about to expire. To make winrm actually use the certificate, the CertificateThumbprint of the listener needs to be set to the new certificates thumbprint.
This can be done like this:
Set-WSManInstance -ResourceURI winrm/config/Listener `
-SelectorSet @{Address="*";Transport="HTTPS"} `
-ValueSet @{CertificateThumbprint=$thumbprint}
However, our non-admin user obviously is not allowed to do this (yet):
Set-WSManInstance : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5"
Machine="localhost"><f:Message>Access is denied. </f:Message></f:WSManFault>
At line:1 char:1
+ Set-WSManInstance -ResourceURI winrm/config/Listener `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (winrm/config/Listener:Uri) [Set-WSManInstance], InvalidOperationExcep
tion
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManInstanceCommand
How do I assign permissions to a non-admin user to update the CertificateThumbprint?
Update:
The thumbprint is apparantly stored in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener\*+HTTPS\certThumbprint.
Unfortunately, changing that registry key and restarting WinRM service does result in the old cert still being served. Actually, even after removing the cert from the cert store and restarting WinRM, it is still served. So there must be some cache or auxiliary process which needs to be cleared/restarted.
