Edit

Share via


New-CMCertificateProfileScep

Creates a SCEP certificate profile.

Syntax

Default (Default)

New-CMCertificateProfileScep
    [-AllowCertificateOnAnyDevice <Boolean>]
    [-CertificateStore <CertificateStoreType>]
    -CertificateTemplateName <String>
    -CertificateValidityDays <Int32>
    [-Description <String>]
    -Eku <Hashtable>
    [-EnrollmentRenewThresholdPct <Int32>]
    [-EnrollmentRetryCount <Int32>]
    [-EnrollmentRetryDelayMins <Int32>]
    -HashAlgorithm <HashAlgorithmTypes>
    [-KeySize <Int32>]
    [-KeyStorageProvider <KeyStorageProviderSettingType>]
    -KeyUsage <X509KeyUsageFlags>
    -Name <String>
    [-RequireMultifactor]
    -RootCertificate <IResultObject>
    -SanType <SubjectAlternativeNameFormatTypes>
    [-ScepServerUrl <String[]>]
    [-SubjectType <SubjectNameFormatTypes>]
    -SupportedPlatform <IResultObject[]>
    [-DisableWildcardHandling]
    [-ForceWildcardHandling]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

The New-CMCertificateProfileScep cmdlet creates a Simple Certificate Enrollment Protocol (SCEP) certificate profile.

Note: You must create a trusted CA certificate profile before you can create an SCEP certificate profile. For information about creating a trusted CA certificate profile, see the New-CMCertificateProfileTrustedRootCA cmdlet.

Note

Run Configuration Manager cmdlets from the Configuration Manager site drive, for example PS XYZ:\>. For more information, see getting started.

Examples

Example 1: Create a SCEP certificate profile

PS XYZ:\> New-CMCertificateProfileScep -CertificateTemplateName "TestTemplate01" -CertificateValidityDays 10 -Eku @{ "name1" ="1.2.3.4"; "name2" = "1.2.3.4.5" } -HashAlgorithm SHA2 -KeyUsage KeyEncipherment -Name "TestSCEPProf01" -RootCertificate (New-CMCertificateProfileTrustedRootCA -Name testing -Path "\\Server\Sharefolder\RootCA.cer" -SupportedPlatform (Get-CMSupportedPlatform  -Fast -Name "All Windows 10*Client")) -SanType SubjectAltReqiureEmail -SupportedPlatform (Get-CMSupportedPlatform  -Fast -Name "All Windows 10*Client")

This command creates a trusted root CA certificate, and gets all Windows 10 Client supported platforms. The command then creates a SEP certificate profile using the newly created trusted root CA certificate.

Example 2: Create a SCEP certificate profile and set the certificate store to User

PS XYZ:\> New-CMCertificateProfileScep -CertificateTemplateName "TestTemplate02" -CertificateValidityDays 10 -Eku @{ "name1" ="1.2.3.4"; "name2" = "1.2.3.4.5" } -HashAlgorithm ShA1 -KeyUsage Digitalsignature -Name "TestSCEPProf02" -RootCertificate (New-CMCertificateProfileTrustedRootCA -Name testingSecond -Path "\\Server\Sharefolder\RootCA.cer" -SupportedPlatform (Get-CMSupportedPlatform  -Fast -Name "All Windows 10*Client")) -SupportedPlatform (Get-CMSupportedPlatform -Fast -Name "All Windows 10*Client") -CertificateStore User -Description "Test description" -EnrollmentRenewThresholdPct 2 -EnrollmentRetryCount 5 -EnrollmentRetryDelayMins 7 -KeySize 2048 -KeyStorageProvider InstallToTPM_FailIfNotPresent -RequireMultiFactor -SubjectType SubjectRequireEmail -SanType SubjectAltReqiureEmail

This command creates a trusted root CA certificate, and gets all Windows 10 Client supported platforms. The command then creates a SCEP certificate using the newly created root CA certificate and setting the certificate store to User.

Parameters

-AllowCertificateOnAnyDevice

Indicates whether to allow certificate enrollment on any device.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-CertificateStore

Specifies the certificate type. Valid values are:

  • Machine
  • User

Parameter properties

Type:CertificateStoreType
Default value:User
Accepted values:Machine, User
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-CertificateTemplateName

Specifies the name of a certificate template.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-CertificateValidityDays

Specifies, in number of days, the certificate validity period.

Parameter properties

Type:Int32
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False
Aliases:cf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Description

Specifies a description for the SCEP certificate profile.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableWildcardHandling

This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Eku

Specifies the extended key usage. The values in the hash table define the certificate's intended purpose.

Parameter properties

Type:Hashtable
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Ekus

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnrollmentRenewThresholdPct

Specifies the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.

Parameter properties

Type:Int32
Default value:20
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnrollmentRetryCount

Specifies the number of times that the device automatically retries the certificate request to the server that is running the Network Device Enrollment Service.

Parameter properties

Type:Int32
Default value:3
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnrollmentRetryDelayMins

Specifies the interval, in minutes, between each enrollment attempt when you use CA manager approval before the issuing CA processes the certificate request.

Parameter properties

Type:Int32
Default value:1
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ForceWildcardHandling

This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-HashAlgorithm

Specifies one or more hash algorithm. Valid values are:

  • SHA1
  • SHA2
  • SHA3

Parameter properties

Type:HashAlgorithmTypes
Default value:None
Accepted values:SHA1, SHA2, SHA3
Supports wildcards:False
DontShow:False
Aliases:HashAlgorithms

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-KeySize

Specifies the size of the key. Valid values are:

  • 1024
  • 2048

Parameter properties

Type:Int32
Default value:2048
Accepted values:1024, 2048, 4096
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-KeyStorageProvider

Specifies the Key Storage Provider (KSP) for the SCEP enrollment. Valid values are:

  • None
  • InstallToTPM_FailIfNotPresent
  • InstallToTPM_IfPresent
  • InstallToSoftwareKeyStorageProvider
  • InstallToNGC_FailIfNotPresent

Parameter properties

Type:KeyStorageProviderSettingType
Default value:InstallToTPM_IfPresent
Accepted values:None, InstallToTPM_FailIfNotPresent, InstallToTPM_IfPresent, InstallToSoftwareKeyStorageProvider, InstallToNGC_FailIfNotPresent
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-KeyUsage

Specifies one or more key usage for the certificate. Valid values are:

  • KeyEncipherment
  • DigitalSignature

Parameter properties

Type:X509KeyUsageFlags
Default value:None
Accepted values:KeyEncipherment, DigitalSignature
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Name

Specifies a name for the SCEP certificate profile.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RequireMultifactor

Indicates that multi-factor authentication is required during enrollment of devices before issuing certificates to those devices. This parameter can be used when the InstallToNGC_FailIfNotPresent value is set for the KeyStorageProvider parameter.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RootCertificate

Specifies a trusted root CA certificate object. To get a trusted root CA certificate, use the Get-CMCertificateProfileTrustedRootCA function.

Parameter properties

Type:IResultObject
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SanType

Specifies one or more subject alternative name. Valid values are:

  • SubjectAltRequireSpn
  • SubjectAltRequireUpn
  • SubjectAltReqiureEmail
  • SubjectAltRequireDns

Parameter properties

Type:SubjectAlternativeNameFormatTypes
Default value:None
Accepted values:SubjectAltRequireCustom, SubjectAltRequireSpn, SubjectAltRequireAAD, SubjectAltRequireUpn, SubjectAltReqiureEmail, SubjectAltRequireDns
Supports wildcards:False
DontShow:False
Aliases:SanTypes

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ScepServerUrl

Specifies an array of URLs for the Network Device Enrollment Service (NDES) servers that will issue certificates via SCEP.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False
Aliases:ScepServerUrls

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SubjectType

Specifies the subject name format. Valid values are:

  • SubjectRequireCommonNameAsEmail
  • SubjectRequireCommonNameAsDeviceName
  • SubjectRequireCommonNameAsOSName
  • SubjectRequireCommonNameAsIMEI
  • SubjectRequireCommonNameAsMEID
  • SubjectRequireCommonNameAsSerialNumber
  • SubjectRequireCommonNameAsDeviceType
  • SubjectRequireCommonNameAsWiFiMAC
  • SubjectRequireCommonNameAsEthernetMAC
  • SubjectRequireAsCustomString
  • SubjectRequireDnsAsCN
  • SubjectRequireEmail
  • SubjectRequireCommonName
  • SubjectRequireDirectoryPath

Parameter properties

Type:SubjectNameFormatTypes
Default value:SubjectRequireCommonName
Accepted values:SubjectRequireCommonNameAsEmail, SubjectRequireCommonNameAsDeviceName, SubjectRequireCommonNameAsOSName, SubjectRequireCommonNameAsIMEI, SubjectRequireCommonNameAsMEID, SubjectRequireCommonNameAsSerialNumber, SubjectRequireCommonNameAsDeviceType, SubjectRequireCommonNameAsWiFiMAC, SubjectRequireCommonNameAsEthernetMAC, SubjectRequireAsCustomString, SubjectRequireDnsAsCN, SubjectRequireEmail, SubjectRequireCommonName, SubjectRequireDirectoryPath
Supports wildcards:False
DontShow:False
Aliases:SubjectTypes

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SupportedPlatform

Specifies a supported platform object. To obtain a supported platform object, use the Get-CMSupportedPlatform cmdlet.

Parameter properties

Type:

IResultObject[]

Default value:None
Supports wildcards:False
DontShow:False
Aliases:SupportedPlatforms

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet doesn't run.

Parameter properties

Type:SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False
Aliases:wi

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

None

Outputs

IResultObject