New-CMCertificateProfileScep
Creates a SCEP certificate profile.
New-CMCertificateProfileScep
[-AllowCertificateOnAnyDevice <Boolean>]
[-CertificateStore <CertificateStoreType>]
-CertificateTemplateName <String>
-CertificateValidityDays <Int32>
[-Description <String>]
-Eku <Hashtable>
[-EnrollmentRenewThresholdPct <Int32>]
[-EnrollmentRetryCount <Int32>]
[-EnrollmentRetryDelayMins <Int32>]
-HashAlgorithm <HashAlgorithmTypes>
[-KeySize <Int32>]
[-KeyStorageProvider <KeyStorageProviderSettingType>]
-KeyUsage <X509KeyUsageFlags>
-Name <String>
[-RequireMultifactor]
-RootCertificate <IResultObject>
-SanType <SubjectAlternativeNameFormatTypes>
[-ScepServerUrl <String[]>]
[-SubjectType <SubjectNameFormatTypes>]
-SupportedPlatform <IResultObject[]>
[-DisableWildcardHandling]
[-ForceWildcardHandling]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
The New-CMCertificateProfileScep cmdlet creates a Simple Certificate Enrollment Protocol (SCEP) certificate profile.
Note: You must create a trusted CA certificate profile before you can create an SCEP certificate profile. For information about creating a trusted CA certificate profile, see the New-CMCertificateProfileTrustedRootCA cmdlet.
Note
Run Configuration Manager cmdlets from the Configuration Manager site drive, for example PS XYZ:\>
. For more information, see getting started.
PS XYZ:\> New-CMCertificateProfileScep -CertificateTemplateName "TestTemplate01" -CertificateValidityDays 10 -Eku @{ "name1" ="1.2.3.4"; "name2" = "1.2.3.4.5" } -HashAlgorithm SHA2 -KeyUsage KeyEncipherment -Name "TestSCEPProf01" -RootCertificate (New-CMCertificateProfileTrustedRootCA -Name testing -Path "\\Server\Sharefolder\RootCA.cer" -SupportedPlatform (Get-CMSupportedPlatform -Fast -Name "All Windows 10*Client")) -SanType SubjectAltReqiureEmail -SupportedPlatform (Get-CMSupportedPlatform -Fast -Name "All Windows 10*Client")
This command creates a trusted root CA certificate, and gets all Windows 10 Client supported platforms. The command then creates a SEP certificate profile using the newly created trusted root CA certificate.
PS XYZ:\> New-CMCertificateProfileScep -CertificateTemplateName "TestTemplate02" -CertificateValidityDays 10 -Eku @{ "name1" ="1.2.3.4"; "name2" = "1.2.3.4.5" } -HashAlgorithm ShA1 -KeyUsage Digitalsignature -Name "TestSCEPProf02" -RootCertificate (New-CMCertificateProfileTrustedRootCA -Name testingSecond -Path "\\Server\Sharefolder\RootCA.cer" -SupportedPlatform (Get-CMSupportedPlatform -Fast -Name "All Windows 10*Client")) -SupportedPlatform (Get-CMSupportedPlatform -Fast -Name "All Windows 10*Client") -CertificateStore User -Description "Test description" -EnrollmentRenewThresholdPct 2 -EnrollmentRetryCount 5 -EnrollmentRetryDelayMins 7 -KeySize 2048 -KeyStorageProvider InstallToTPM_FailIfNotPresent -RequireMultiFactor -SubjectType SubjectRequireEmail -SanType SubjectAltReqiureEmail
This command creates a trusted root CA certificate, and gets all Windows 10 Client supported platforms. The command then creates a SCEP certificate using the newly created root CA certificate and setting the certificate store to User.
Indicates whether to allow certificate enrollment on any device.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the certificate type. Valid values are:
- Machine
- User
Type: | CertificateStoreType |
Accepted values: | Machine, User |
Position: | Named |
Default value: | User |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the name of a certificate template.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies, in number of days, the certificate validity period.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies a description for the SCEP certificate profile.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the extended key usage. The values in the hash table define the certificate's intended purpose.
Type: | Hashtable |
Aliases: | Ekus |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
Type: | Int32 |
Position: | Named |
Default value: | 20 |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the number of times that the device automatically retries the certificate request to the server that is running the Network Device Enrollment Service.
Type: | Int32 |
Position: | Named |
Default value: | 3 |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the interval, in minutes, between each enrollment attempt when you use CA manager approval before the issuing CA processes the certificate request.
Type: | Int32 |
Position: | Named |
Default value: | 1 |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies one or more hash algorithm. Valid values are:
- SHA1
- SHA2
- SHA3
Type: | HashAlgorithmTypes |
Aliases: | HashAlgorithms |
Accepted values: | SHA1, SHA2, SHA3 |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the size of the key. Valid values are:
- 1024
- 2048
Type: | Int32 |
Accepted values: | 1024, 2048, 4096 |
Position: | Named |
Default value: | 2048 |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the Key Storage Provider (KSP) for the SCEP enrollment. Valid values are:
- None
- InstallToTPM_FailIfNotPresent
- InstallToTPM_IfPresent
- InstallToSoftwareKeyStorageProvider
- InstallToNGC_FailIfNotPresent
Type: | KeyStorageProviderSettingType |
Accepted values: | None, InstallToTPM_FailIfNotPresent, InstallToTPM_IfPresent, InstallToSoftwareKeyStorageProvider, InstallToNGC_FailIfNotPresent |
Position: | Named |
Default value: | InstallToTPM_IfPresent |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies one or more key usage for the certificate. Valid values are:
- KeyEncipherment
- DigitalSignature
Type: | X509KeyUsageFlags |
Accepted values: | KeyEncipherment, DigitalSignature |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies a name for the SCEP certificate profile.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Indicates that multi-factor authentication is required during enrollment of devices before issuing certificates to those devices. This parameter can be used when the InstallToNGC_FailIfNotPresent value is set for the KeyStorageProvider parameter.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies a trusted root CA certificate object. To get a trusted root CA certificate, use the Get-CMCertificateProfileTrustedRootCA function.
Type: | IResultObject |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies one or more subject alternative name. Valid values are:
- SubjectAltRequireSpn
- SubjectAltRequireUpn
- SubjectAltReqiureEmail
- SubjectAltRequireDns
Type: | SubjectAlternativeNameFormatTypes |
Aliases: | SanTypes |
Accepted values: | SubjectAltRequireCustom, SubjectAltRequireSpn, SubjectAltRequireAAD, SubjectAltRequireUpn, SubjectAltReqiureEmail, SubjectAltRequireDns |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies an array of URLs for the Network Device Enrollment Service (NDES) servers that will issue certificates via SCEP.
Type: | String[] |
Aliases: | ScepServerUrls |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the subject name format. Valid values are:
- SubjectRequireCommonNameAsEmail
- SubjectRequireCommonNameAsDeviceName
- SubjectRequireCommonNameAsOSName
- SubjectRequireCommonNameAsIMEI
- SubjectRequireCommonNameAsMEID
- SubjectRequireCommonNameAsSerialNumber
- SubjectRequireCommonNameAsDeviceType
- SubjectRequireCommonNameAsWiFiMAC
- SubjectRequireCommonNameAsEthernetMAC
- SubjectRequireAsCustomString
- SubjectRequireDnsAsCN
- SubjectRequireEmail
- SubjectRequireCommonName
- SubjectRequireDirectoryPath
Type: | SubjectNameFormatTypes |
Aliases: | SubjectTypes |
Accepted values: | SubjectRequireCommonNameAsEmail, SubjectRequireCommonNameAsDeviceName, SubjectRequireCommonNameAsOSName, SubjectRequireCommonNameAsIMEI, SubjectRequireCommonNameAsMEID, SubjectRequireCommonNameAsSerialNumber, SubjectRequireCommonNameAsDeviceType, SubjectRequireCommonNameAsWiFiMAC, SubjectRequireCommonNameAsEthernetMAC, SubjectRequireAsCustomString, SubjectRequireDnsAsCN, SubjectRequireEmail, SubjectRequireCommonName, SubjectRequireDirectoryPath |
Position: | Named |
Default value: | SubjectRequireCommonName |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies a supported platform object. To obtain a supported platform object, use the Get-CMSupportedPlatform cmdlet.
Type: | IResultObject[] |
Aliases: | SupportedPlatforms |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Shows what would happen if the cmdlet runs. The cmdlet doesn't run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
None
IResultObject