< Back
Get-Certificate
Post
NAME Get-Certificate
SYNOPSIS
Submits a certificate request to an enrollment server and installs the response or retrieves a certificate for a previously submitted request.
SYNTAX
Get-Certificate [-CertStoreLocation <String>] [-Credential <PkiCredential>] [-DnsName <String[]>] [-SubjectName <String>] [-Url <Uri>] -Template
<String> [-Confirm] [-WhatIf] [<CommonParameters>]
Get-Certificate [-Credential <PkiCredential>] -Request <Certificate> [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Get-Certificate cmdlet can be used to submit a certificate request and install the resulting certificate, install a certificate from a pending
certificate request, and enroll for ldap. If the request is issued, then the returned certificate is installed in the store determined by the
CertStoreLocation parameter and return the certificate in the EnrollmentResult structure with status Issued. If the request is made pending, then the
request is installed in the machine REQUEST store and a request is returned in the EnrollmentResult structure with status Pending.
This cmdlet can be used in a Stateless mode where this cmdlet does not look up anything in the vault or in a Stateful mode where it looks at registered
certificate enrollment policy servers by identifier (ID) and credential. When used with a request object and no credential, this cmdlet will look up
credentials in the vault based on the URL for the enrollment policy server.
This cmdlet will not accept a policy server identifier (ID). If a URL is not specified, then only the default certificate enrollment policy ID is used
and the cmdlet will attempt to obtain policy information from any of its URLs.
Delegation may be required when using this cmdlet with Windows PowerShell???? remoting and changing user configuration.
PARAMETERS
-CertStoreLocation [<String>]
Specifies the path to the certificate store for the received certificate. If the request is made pending, then the request object is saved in the
corresponding request store. Note: Only My store is supported.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Credential [<PkiCredential>]
Specifies the credential to use for certificate enrollment. The credential can be a user name and password (a credential object), an X509
certificate, or the path to a certificate. If a credential is not specified, then Kerberos authentication is used.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-DnsName [<String[]>]
Specifies one or more DNS names to be included in the certificate request as subject alternative name extension.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Request <Certificate>
Specifies the X509 certificate or the path to a requested certificate located in the request store.
Required? true
Position? named
Default value none
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
-SubjectName [<String>]
Specifies the subject name to be included in the certificate request.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Template <String>
Specifies the object identifier or name of a certificate template to use with the certificate request.
Required? true
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Url [<Uri>]
Specifies the policy server URL to use for certificate enrollment. Credentials are required if the endpoint requires a user name and password or
certificate authentication from the client. If credentials are not found and Windows PowerShell???? is in interactive mode, then a prompt for
credentials will appear.
Required? false
Position? named
Default value none
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.Security.Cryptography.X509Certificates.X509Certificate2
The Certificate object can either be provided as a Path object to a certificate or an X509Certificate2 object.
System.Uri
The Uri object can also be pipelined by the Url property name.
OUTPUTS
Microsoft.CertificateServices.Commands.EnrollmentResult
The EnrollmentResult object contains the results of enrollment.
EXAMPLE 1
PS C:\\>$up = Get-Credential
PS C:\\>Get-Certificate -Template SslWebServer -DnsName www.contoso.com,www.fabrikam.com -Url https://www.contoso.com/Policy/service.svc -Credential $up
-CertStoreLocation cert:\\LocalMachine\\My
This example submits a certificate request for the SslWebServer template to the specific URL using the user name and password credentials. The request
will have two DNS names in it. This is for a certificate in the machine store. If the request is issued, then the returned certificate is installed in
the machine MY store and the certificate in the EnrollmentResult structure is returned with the status Issued. If the request is made pending, then the
request is installed in the machine REQUEST store and the request in the EnrollmentResult structure is returned with the status Pending.
EXAMPLE 2
PS C:\\>$cert = ( Get-ChildItem -Path cert:\\LocalMachine\\My\\EEDEF61D4FF6EDBAAD538BB08CCAADDC3EE28FF )
PS C:\\>$enrollResult = Get-Certificate -Template SslWebServer -DnsName www.contoso.com -Url https://www.contoso.com/policy/service.svc -Credential $cert
-CertStoreLocation cert:\\LocalMachine\\My
This example submits a certificate request to a specific URL using the certificate credential for authentication.
EXAMPLE 3
PS C:\\>Set-Location -Path cert:\\LocalMachine\\My
PS C:\\>$enrollResult = ( Get-Certificate -Template WorkstationTemplate -Url https://www.contoso.com/service.svc )
This example authenticates the URL using the machine account and Windows integrated authentication and submits a request for a machine certificate of
template named WorkstationTemplate.
EXAMPLE 4
PS C:\\>Set-Location -Path cert:\\CurrentUser\\My
PS C:\\>Get-Certificate -Template User -Url ldap:
This example uses Windows integrated authentication to enroll for a certificate of template User using direct DCOM calls to the CA.
EXAMPLE 5
PS C:\\>$request = (Get-ChildItem -Path cert:\\LocalMachine\\Request\\EEDEF61D4FF6EDBAAD538BB08CCAADDC3EE28FF)
PS C:\\>$up = Get-Credential
PS C:\\>Get-Certificate -Request $request -Credential $up
This example retrieves and submits a pending request using a user name and password as credentials.
EXAMPLE 6
PS C:\\>$request = (Get-ChildItem -Path cert:\\LocalMachine\\Request\\EEDEF61D4FF6EDBAAD538BB08CCAADDC3EE28FF)
PS C:\\>Get-Certificate -Request $request
This example retrieves the certificate identified by $request. If the authentication type for $request.EnrollmentServer.AuthType is not Kerberos, then
look in the credential store to see if there is a credential for $request.EnrollmentServer.Url. If there is a credential, then use it. If there is no
credential, then Windows PowerShell???? will request it (if Windows PowerShell is in Interactive mode).
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/p/?linkid=287528
Get-ChildItem
Get-Credential
Set-Location
SYNOPSIS
Submits a certificate request to an enrollment server and installs the response or retrieves a certificate for a previously submitted request.
SYNTAX
Get-Certificate [-CertStoreLocation <String>] [-Credential <PkiCredential>] [-DnsName <String[]>] [-SubjectName <String>] [-Url <Uri>] -Template
<String> [-Confirm] [-WhatIf] [<CommonParameters>]
Get-Certificate [-Credential <PkiCredential>] -Request <Certificate> [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Get-Certificate cmdlet can be used to submit a certificate request and install the resulting certificate, install a certificate from a pending
certificate request, and enroll for ldap. If the request is issued, then the returned certificate is installed in the store determined by the
CertStoreLocation parameter and return the certificate in the EnrollmentResult structure with status Issued. If the request is made pending, then the
request is installed in the machine REQUEST store and a request is returned in the EnrollmentResult structure with status Pending.
This cmdlet can be used in a Stateless mode where this cmdlet does not look up anything in the vault or in a Stateful mode where it looks at registered
certificate enrollment policy servers by identifier (ID) and credential. When used with a request object and no credential, this cmdlet will look up
credentials in the vault based on the URL for the enrollment policy server.
This cmdlet will not accept a policy server identifier (ID). If a URL is not specified, then only the default certificate enrollment policy ID is used
and the cmdlet will attempt to obtain policy information from any of its URLs.
Delegation may be required when using this cmdlet with Windows PowerShell???? remoting and changing user configuration.
PARAMETERS
-CertStoreLocation [<String>]
Specifies the path to the certificate store for the received certificate. If the request is made pending, then the request object is saved in the
corresponding request store. Note: Only My store is supported.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Credential [<PkiCredential>]
Specifies the credential to use for certificate enrollment. The credential can be a user name and password (a credential object), an X509
certificate, or the path to a certificate. If a credential is not specified, then Kerberos authentication is used.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-DnsName [<String[]>]
Specifies one or more DNS names to be included in the certificate request as subject alternative name extension.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Request <Certificate>
Specifies the X509 certificate or the path to a requested certificate located in the request store.
Required? true
Position? named
Default value none
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
-SubjectName [<String>]
Specifies the subject name to be included in the certificate request.
Required? false
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Template <String>
Specifies the object identifier or name of a certificate template to use with the certificate request.
Required? true
Position? named
Default value none
Accept pipeline input? false
Accept wildcard characters? false
-Url [<Uri>]
Specifies the policy server URL to use for certificate enrollment. Credentials are required if the endpoint requires a user name and password or
certificate authentication from the client. If credentials are not found and Windows PowerShell???? is in interactive mode, then a prompt for
credentials will appear.
Required? false
Position? named
Default value none
Accept pipeline input? True (ByValue, ByPropertyName)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value false
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.Security.Cryptography.X509Certificates.X509Certificate2
The Certificate object can either be provided as a Path object to a certificate or an X509Certificate2 object.
System.Uri
The Uri object can also be pipelined by the Url property name.
OUTPUTS
Microsoft.CertificateServices.Commands.EnrollmentResult
The EnrollmentResult object contains the results of enrollment.
EXAMPLE 1
PS C:\\>$up = Get-Credential
PS C:\\>Get-Certificate -Template SslWebServer -DnsName www.contoso.com,www.fabrikam.com -Url https://www.contoso.com/Policy/service.svc -Credential $up
-CertStoreLocation cert:\\LocalMachine\\My
This example submits a certificate request for the SslWebServer template to the specific URL using the user name and password credentials. The request
will have two DNS names in it. This is for a certificate in the machine store. If the request is issued, then the returned certificate is installed in
the machine MY store and the certificate in the EnrollmentResult structure is returned with the status Issued. If the request is made pending, then the
request is installed in the machine REQUEST store and the request in the EnrollmentResult structure is returned with the status Pending.
EXAMPLE 2
PS C:\\>$cert = ( Get-ChildItem -Path cert:\\LocalMachine\\My\\EEDEF61D4FF6EDBAAD538BB08CCAADDC3EE28FF )
PS C:\\>$enrollResult = Get-Certificate -Template SslWebServer -DnsName www.contoso.com -Url https://www.contoso.com/policy/service.svc -Credential $cert
-CertStoreLocation cert:\\LocalMachine\\My
This example submits a certificate request to a specific URL using the certificate credential for authentication.
EXAMPLE 3
PS C:\\>Set-Location -Path cert:\\LocalMachine\\My
PS C:\\>$enrollResult = ( Get-Certificate -Template WorkstationTemplate -Url https://www.contoso.com/service.svc )
This example authenticates the URL using the machine account and Windows integrated authentication and submits a request for a machine certificate of
template named WorkstationTemplate.
EXAMPLE 4
PS C:\\>Set-Location -Path cert:\\CurrentUser\\My
PS C:\\>Get-Certificate -Template User -Url ldap:
This example uses Windows integrated authentication to enroll for a certificate of template User using direct DCOM calls to the CA.
EXAMPLE 5
PS C:\\>$request = (Get-ChildItem -Path cert:\\LocalMachine\\Request\\EEDEF61D4FF6EDBAAD538BB08CCAADDC3EE28FF)
PS C:\\>$up = Get-Credential
PS C:\\>Get-Certificate -Request $request -Credential $up
This example retrieves and submits a pending request using a user name and password as credentials.
EXAMPLE 6
PS C:\\>$request = (Get-ChildItem -Path cert:\\LocalMachine\\Request\\EEDEF61D4FF6EDBAAD538BB08CCAADDC3EE28FF)
PS C:\\>Get-Certificate -Request $request
This example retrieves the certificate identified by $request. If the authentication type for $request.EnrollmentServer.AuthType is not Kerberos, then
look in the credential store to see if there is a credential for $request.EnrollmentServer.Url. If there is a credential, then use it. If there is no
credential, then Windows PowerShell???? will request it (if Windows PowerShell is in Interactive mode).
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/p/?linkid=287528
Get-ChildItem
Get-Credential
Set-Location