Edit

Share via


New-CMCertificateProfileScep

Creates a SCEP certificate profile.

Syntax

New-CMCertificateProfileScep
   [-AllowCertificateOnAnyDevice <Boolean>]
   [-CertificateStore <CertificateStoreType>]
   -CertificateTemplateName <String>
   -CertificateValidityDays <Int32>
   [-Description <String>]
   -Eku <Hashtable>
   [-EnrollmentRenewThresholdPct <Int32>]
   [-EnrollmentRetryCount <Int32>]
   [-EnrollmentRetryDelayMins <Int32>]
   -HashAlgorithm <HashAlgorithmTypes>
   [-KeySize <Int32>]
   [-KeyStorageProvider <KeyStorageProviderSettingType>]
   -KeyUsage <X509KeyUsageFlags>
   -Name <String>
   [-RequireMultifactor]
   -RootCertificate <IResultObject>
   -SanType <SubjectAlternativeNameFormatTypes>
   [-ScepServerUrl <String[]>]
   [-SubjectType <SubjectNameFormatTypes>]
   -SupportedPlatform <IResultObject[]>
   [-DisableWildcardHandling]
   [-ForceWildcardHandling]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-CMCertificateProfileScep cmdlet creates a Simple Certificate Enrollment Protocol (SCEP) certificate profile.

Note: You must create a trusted CA certificate profile before you can create an SCEP certificate profile. For information about creating a trusted CA certificate profile, see the New-CMCertificateProfileTrustedRootCA cmdlet.

Note

Run Configuration Manager cmdlets from the Configuration Manager site drive, for example PS XYZ:\>. For more information, see getting started.

Examples

Example 1: Create a SCEP certificate profile

PS XYZ:\> New-CMCertificateProfileScep -CertificateTemplateName "TestTemplate01" -CertificateValidityDays 10 -Eku @{ "name1" ="1.2.3.4"; "name2" = "1.2.3.4.5" } -HashAlgorithm SHA2 -KeyUsage KeyEncipherment -Name "TestSCEPProf01" -RootCertificate (New-CMCertificateProfileTrustedRootCA -Name testing -Path "\\Server\Sharefolder\RootCA.cer" -SupportedPlatform (Get-CMSupportedPlatform  -Fast -Name "All Windows 10*Client")) -SanType SubjectAltReqiureEmail -SupportedPlatform (Get-CMSupportedPlatform  -Fast -Name "All Windows 10*Client")

This command creates a trusted root CA certificate, and gets all Windows 10 Client supported platforms. The command then creates a SEP certificate profile using the newly created trusted root CA certificate.

Example 2: Create a SCEP certificate profile and set the certificate store to User

PS XYZ:\> New-CMCertificateProfileScep -CertificateTemplateName "TestTemplate02" -CertificateValidityDays 10 -Eku @{ "name1" ="1.2.3.4"; "name2" = "1.2.3.4.5" } -HashAlgorithm ShA1 -KeyUsage Digitalsignature -Name "TestSCEPProf02" -RootCertificate (New-CMCertificateProfileTrustedRootCA -Name testingSecond -Path "\\Server\Sharefolder\RootCA.cer" -SupportedPlatform (Get-CMSupportedPlatform  -Fast -Name "All Windows 10*Client")) -SupportedPlatform (Get-CMSupportedPlatform -Fast -Name "All Windows 10*Client") -CertificateStore User -Description "Test description" -EnrollmentRenewThresholdPct 2 -EnrollmentRetryCount 5 -EnrollmentRetryDelayMins 7 -KeySize 2048 -KeyStorageProvider InstallToTPM_FailIfNotPresent -RequireMultiFactor -SubjectType SubjectRequireEmail -SanType SubjectAltReqiureEmail

This command creates a trusted root CA certificate, and gets all Windows 10 Client supported platforms. The command then creates a SCEP certificate using the newly created root CA certificate and setting the certificate store to User.

Parameters

-AllowCertificateOnAnyDevice

Indicates whether to allow certificate enrollment on any device.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-CertificateStore

Specifies the certificate type. Valid values are:

  • Machine
  • User
Type:CertificateStoreType
Accepted values:Machine, User
Position:Named
Default value:User
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-CertificateTemplateName

Specifies the name of a certificate template.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-CertificateValidityDays

Specifies, in number of days, the certificate validity period.

Type:Int32
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Description

Specifies a description for the SCEP certificate profile.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DisableWildcardHandling

This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Eku

Specifies the extended key usage. The values in the hash table define the certificate's intended purpose.

Type:Hashtable
Aliases:Ekus
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-EnrollmentRenewThresholdPct

Specifies the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.

Type:Int32
Position:Named
Default value:20
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EnrollmentRetryCount

Specifies the number of times that the device automatically retries the certificate request to the server that is running the Network Device Enrollment Service.

Type:Int32
Position:Named
Default value:3
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EnrollmentRetryDelayMins

Specifies the interval, in minutes, between each enrollment attempt when you use CA manager approval before the issuing CA processes the certificate request.

Type:Int32
Position:Named
Default value:1
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ForceWildcardHandling

This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-HashAlgorithm

Specifies one or more hash algorithm. Valid values are:

  • SHA1
  • SHA2
  • SHA3
Type:HashAlgorithmTypes
Aliases:HashAlgorithms
Accepted values:SHA1, SHA2, SHA3
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-KeySize

Specifies the size of the key. Valid values are:

  • 1024
  • 2048
Type:Int32
Accepted values:1024, 2048, 4096
Position:Named
Default value:2048
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-KeyStorageProvider

Specifies the Key Storage Provider (KSP) for the SCEP enrollment. Valid values are:

  • None
  • InstallToTPM_FailIfNotPresent
  • InstallToTPM_IfPresent
  • InstallToSoftwareKeyStorageProvider
  • InstallToNGC_FailIfNotPresent
Type:KeyStorageProviderSettingType
Accepted values:None, InstallToTPM_FailIfNotPresent, InstallToTPM_IfPresent, InstallToSoftwareKeyStorageProvider, InstallToNGC_FailIfNotPresent
Position:Named
Default value:InstallToTPM_IfPresent
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-KeyUsage

Specifies one or more key usage for the certificate. Valid values are:

  • KeyEncipherment
  • DigitalSignature
Type:X509KeyUsageFlags
Accepted values:KeyEncipherment, DigitalSignature
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Name

Specifies a name for the SCEP certificate profile.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-RequireMultifactor

Indicates that multi-factor authentication is required during enrollment of devices before issuing certificates to those devices. This parameter can be used when the InstallToNGC_FailIfNotPresent value is set for the KeyStorageProvider parameter.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-RootCertificate

Specifies a trusted root CA certificate object. To get a trusted root CA certificate, use the Get-CMCertificateProfileTrustedRootCA function.

Type:IResultObject
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-SanType

Specifies one or more subject alternative name. Valid values are:

  • SubjectAltRequireSpn
  • SubjectAltRequireUpn
  • SubjectAltReqiureEmail
  • SubjectAltRequireDns
Type:SubjectAlternativeNameFormatTypes
Aliases:SanTypes
Accepted values:SubjectAltRequireCustom, SubjectAltRequireSpn, SubjectAltRequireAAD, SubjectAltRequireUpn, SubjectAltReqiureEmail, SubjectAltRequireDns
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ScepServerUrl

Specifies an array of URLs for the Network Device Enrollment Service (NDES) servers that will issue certificates via SCEP.

Type:String[]
Aliases:ScepServerUrls
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SubjectType

Specifies the subject name format. Valid values are:

  • SubjectRequireCommonNameAsEmail
  • SubjectRequireCommonNameAsDeviceName
  • SubjectRequireCommonNameAsOSName
  • SubjectRequireCommonNameAsIMEI
  • SubjectRequireCommonNameAsMEID
  • SubjectRequireCommonNameAsSerialNumber
  • SubjectRequireCommonNameAsDeviceType
  • SubjectRequireCommonNameAsWiFiMAC
  • SubjectRequireCommonNameAsEthernetMAC
  • SubjectRequireAsCustomString
  • SubjectRequireDnsAsCN
  • SubjectRequireEmail
  • SubjectRequireCommonName
  • SubjectRequireDirectoryPath
Type:SubjectNameFormatTypes
Aliases:SubjectTypes
Accepted values:SubjectRequireCommonNameAsEmail, SubjectRequireCommonNameAsDeviceName, SubjectRequireCommonNameAsOSName, SubjectRequireCommonNameAsIMEI, SubjectRequireCommonNameAsMEID, SubjectRequireCommonNameAsSerialNumber, SubjectRequireCommonNameAsDeviceType, SubjectRequireCommonNameAsWiFiMAC, SubjectRequireCommonNameAsEthernetMAC, SubjectRequireAsCustomString, SubjectRequireDnsAsCN, SubjectRequireEmail, SubjectRequireCommonName, SubjectRequireDirectoryPath
Position:Named
Default value:SubjectRequireCommonName
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SupportedPlatform

Specifies a supported platform object. To obtain a supported platform object, use the Get-CMSupportedPlatform cmdlet.

Type:IResultObject[]
Aliases:SupportedPlatforms
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet doesn't run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

Outputs

IResultObject