Deploy cert via WinRM to another server?

What is the supposed way to deploy a cert via PS to another WinRM enabled machine?

Either way of trying to do / test stuff on another device, will result in some kind of error:

[ERR] PowerShell Execution Mode: SystemProcess (selected Automatic, overridden because Full Impersonation requires a new process).
PowerShell Executable: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
Launching Process C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe using full Windows impersonation as fritz-edv.local\Administrator.
PowerShell Full Impersonation: user profile loading is disabled.
PowerShell Full Impersonation: service identity is NT-AUTORITÄT\SYSTEM.
PowerShell Full Impersonation: target identity is domain.local\Administrator; logon type is interactive.
PowerShell Full Impersonation: user logon token acquired.
PowerShell Full Impersonation: created user environment block.
Error Running Script with Full Impersonation: System.ComponentModel.Win32Exception (5): CreateProcessWithLogonW failed.
   at Certify.Management.PowerShellManager.StartProcessWithToken(ProcessStartInfo startInfo, SafeTokenHandle token, Dictionary`2 credentials, Boolean loadUserProfile, Int32 timeoutMinutes, StringBuilder log) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Shared.Extensions\Utils\PowerShellManager.FullImpersonation.cs:line 163
   at Certify.Management.PowerShellManager.RunProcessWithFullImpersonation(ProcessStartInfo startInfo, Dictionary`2 credentials, String logonType, Boolean loadUserProfile, Int32 timeoutMinutes, StringBuilder log, Action cleanup) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Shared.Extensions\Utils\PowerShellManager.FullImpersonation.cs:line 38
[ERR] PowerShell Execution Mode: SystemProcess (selected Automatic, overridden because Full Impersonation requires a new process).
PowerShell Executable: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
Launching Process C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe using full Windows impersonation as fritz-edv.local\Administrator.
PowerShell Full Impersonation: user profile loading is disabled.
PowerShell Full Impersonation: service identity is NT-AUTORITÄT\SYSTEM.
PowerShell Full Impersonation: target identity is domain.local\Administrator; logon type is network.
PowerShell Full Impersonation: user logon token acquired.
PowerShell Full Impersonation: created user environment block.
Error Running Script with Full Impersonation: System.ComponentModel.Win32Exception (5): CreateProcessWithLogonW failed.
   at Certify.Management.PowerShellManager.StartProcessWithToken(ProcessStartInfo startInfo, SafeTokenHandle token, Dictionary`2 credentials, Boolean loadUserProfile, Int32 timeoutMinutes, StringBuilder log) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Shared.Extensions\Utils\PowerShellManager.FullImpersonation.cs:line 163
   at Certify.Management.PowerShellManager.RunProcessWithFullImpersonation(ProcessStartInfo startInfo, Dictionary`2 credentials, String logonType, Boolean loadUserProfile, Int32 timeoutMinutes, StringBuilder log, Action cleanup) in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Shared.Extensions\Utils\PowerShellManager.FullImpersonation.cs:line 38
[ERR] PowerShell Execution Mode: InProcess (selected Automatic, using in-process PowerShell for Windows credential impersonation compatibility).
PowerShell Host: Core 7.6.2
Error: Cannot process command because of one or more missing mandatory parameters: result.

The product is not currently designed to perform remote powershell but you may be able use that.

There is some guidance around impersonation at PowerShell Support and Execution Modes | Certify The Web Docs and you may be able to use winrm if you use the System Powershell mode but you may need to run the Certify service under a different (administrator group) account to achieve remote impersonation. To do that you need to start with a fresh install or reconfigure any stored credentials as the service account is used to encrypt them.

The alternatives include:

  • Run Certify on the target machine t get the certificate you need. This is the normal approach. You can combine to this with the Certify Management Hub if you need to administer many servers or if you want to use Certificate Subscriptions.
  • Use your own Windows scheduled task to export the PFX to the desired location and run the scripts, either export task via UNC to the target machine and let it pick up the file, or remote scripting from your source machine.