PSv4+ New-PSSession with -CertificateThumbprint only works with ADCS generated certificates
I am unable to authenticate with a client certificate generated from OpenSSL or New-SelfSignedCertificate from a Windows 10 or 2012R2 powershell remoting client (likely broken in 8.1 but I did not test). I receive the following error:
new-PSSession : The WinRM client cannot process the request. If you are using a machine certificate, it must contain a DNS name in the Subject Alternative Name extension or in the Subject Name field, and no UPN name. If you are using a user certificate, the Subject Alternative Name extension must contain a UPN name and must not contain a DNS name. Change the certificate structure and try the request again.
The UPN is correctly specified in the SAN and there is no DNS entry.
I CAN authenticate with the same certificates from windows 7 or 2008R2 and I can also authenticate from windows 10/2012R2 if I use the ruby or python winrm libraries.
I checked the binary contents of both an ADCS gernerated cert and an OpenSSL one and my SAN contents are binary identical.
Please see http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm for more details