Submit a certificate request to an enrollment server and installs the response or retrieves a certificate for a previously submitted request.

      Get-Certificate [-Url Uri] -Template String [-SubjectName String  [-DnsName String[]]
         [-Credential PkiCredential] [-CertStoreLocation String] [-WhatIf] [-Confirm]

      Get-Certificate -Request Certificate [-Credential PkiCredential] [-WhatIf] [-Confirm]
      The path to the certificate store for the received certificate.
      If the request is made pending, then the request object is saved in the corresponding request store.
      Note: Only My store is supported.

      Prompt you for confirmation before running the cmdlet.

      Specify the credential to use for certificate enrollment.
      The credential can be a user name and password (a credential object), an X509 certificate, or the path to a cert.
      If a credential is not specified, then Kerberos authentication is used.

      Specify one or more DNS names to be included in the certificate request as subject alternative name extension.

      The X509 certificate or the path to a requested certificate located in the request store.

      The subject name to be included in the certificate request.

      The object identifier or name of a certificate template to use with the certificate request.

      The policy server URL to use for certificate enrollment.
      Credentials are required if the endpoint requires a user name and password or certificate authentication from the client.
      If credentials are not found and Windows PowerShell is in interactive mode, then a prompt for credentials will appear.

      Show what would happen if the cmdlet runs. The cmdlet is not run.

Standard Aliases for Get-Certificate: none

Get-Certificate can be used to submit a certificate request and install the resulting certificate, install a certificate from a pending certificate request, and enroll for ldap. If the request is issued, then the returned certificate is installed in the store determined by the CertStoreLocation parameter and return the certificate in the EnrollmentResult structure with status Issued. If the request is made pending, then the request is installed in the machine REQUEST store and a request is returned in the EnrollmentResult structure with status Pending.

This cmdlet can be used in a Stateless mode where this cmdlet does not look up anything in the vault or in a Stateful mode where it looks at registered certificate enrollment policy servers by identifier (ID) and credential. When used with a request object and no credential, this cmdlet will look up credentials in the vault based on the URL for the enrollment policy server.

This cmdlet will not accept a policy server identifier (ID). If a URL is not specified, then only the default certificate enrollment policy ID is used and the cmdlet will attempt to obtain policy information from any of its URLs.

Delegation may be required when using this cmdlet with Windows PowerShell® remoting and changing user configuration.

Client certificates are not returned by this cmdlet, but can instead be retrieved with Get-ChildItem

Get the installed personal certificates:
Get-ChildItem 'Cert:\CurrentUser\My' | Format-Table Subject, FriendlyName, Thumbprint -AutoSize

#Get the installed local machine certificates from a remote machine

$Certs = Invoke-Command -Computername 'Server64' -Scriptblock {Get-ChildItem "Cert:\LocalMachine\My"}


Submit a certificate request for the SslWebServer template to the specific URL using the user name and password credentials.:

PS C:\> $up = Get-Credential
PS C:\> Get-Certificate -Template SslWebServer -DnsName, -Url -Credential $up -CertStoreLocation cert:\LocalMachine\My

Submit a certificate request to a specific URL using the certificate credential for authentication:

$certsource = @{
   Template = 'SslWebServer'
   DnsName= ""
   Url = ""
   Credential = $cert
   CertStoreLocation = 'cert:\LocalMachine\My'
$cert = Get-ChildItem -Path cert:\LocalMachine\My\EEDEF61D4FF6EDBAAD538BB08CCAADDC3EE28FF

$enrollResult = Get-Certificate @certsource

Use Windows integrated authentication to enroll for a certificate of template User using direct DCOM calls to the CA:

PS C:\> Set-Location -Path cert:\CurrentUser\My
PS cert:\CurrentUser\My> Get-Certificate -Template User -Url ldap:

“Do not act as if you were going to live ten thousand years. Death hangs over you.
While you live, while it is in your power, be good” ~ Marcus Aurelius, Meditations

Related PowerShell Cmdlets

Export-Certificate - Export a certificate from a certificate store into a file.
Import-Certificate - Import one or more certificates into a certificate store.
Equivalent CMD commands: CERTUTIL - Display certification authority, configure Certificate Services. CERTREQ - Request cert.

Copyright © 1999-2024
Some rights reserved