Forge Home


Setup WinRM over HTTPS and control some basic, essential settings. Also supports Puppet CA issued certificates.


6,865 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.0.1 (latest)
  • 2.0.0
  • 0.1.0
released Jul 8th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'nekototori-winrmssl', '2.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add nekototori-winrmssl
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install nekototori-winrmssl --version 2.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Tags: ssl, https, tls, winrm


nekototori/winrmssl — version 2.0.1 Jul 8th 2020


Setup WinRM over HTTPS and control some basic, essential settings. Also supports Puppet CA issued certificates if using puppetlabs/windows_puppet_certificates.


Will configure winrm to use HTTPS from a certificate existing in the certstore.

You can choose to provide a .PEM file that openssl can read to match issuer with one in the cert store (much like how windows_puppet_certificates bootstraps), or provide the Issuer name of a certificate already in the local machine's certstore.

If you are using Puppet with a Master, you can easily leverage Puppet's CA and individual machine certs instead of issuing a certificate to each system with your org's primary CA.

Powershell command that could be used as a fact to grab a specific certificate's issuer shown below:

Get-ChildItem Cert:\LocalMachine\Root\ABC123DEF456GHI | Select -ExpandProperty Issuer

Any parameters not set will revert to their default value by winrm.

winrmssl { 'CN=Example Issuer CA Authority, OU=Example Corp, OU=Test':
  ensure => present,


issuer can be set to either the value of the "Issued By" field of the certificate to utilise, or the path to the certificate issuer's/authority's .PEM public certificate file.

port (default 5986) This is for HTTPS only.

maxmemoryshellpermb (default 1024) As per the WinRM setting. You may need to apply Microsoft KB2842230 for this to take effect.

maxtimeoutms (default 60000) As per the WinRM setting.

auth_basic (default true) Since you are HTTPS secured now, no harm in allowing Basic Auth.

auth_negotiate (default true) Manages Negotiate authentication.

auth_kerberos (default true) Manages Kerberos authentication.

auth_credssp (default false) Manages CredSSP authentication.

disable_http (default true) Removes the HTTP listener completely from WinRM so that plaintext transport is simply not available.


Note that the following example uses the []windows_puppet_certificates( module for the ca_path fact.

# read the path to the Puppet CA's .PEM file into a variable
$ca_to_trust = $facts['puppet_cert_paths']['ca_path']

winrmssl {$ca_to_trust:
  ensure => present,
  issuer => $ca_to_trust,
  #port                => 5986,
  #maxmemorypershellmb => 1024,
  #maxtimeoutms        => 60000,
  #auth_basic          => true,
  #auth_negotiate      => true,
  #auth_kerberos       => true,
  #auth_credssp        => false,
  #disable_http        => true