I'm looking to automate the process of getting certificates for users. Currently, I manually handle this through the MMC console and we have a template in place that utilizes an Enrollment Agent Certificate. I've started working on a PowerShell script for this, but I'm running into errors. Here's the part of the script I've put together:
```powershell
Set-Location -Path Cert:\CurrentUser\My\
Get-Certificate -Template "Templatename" | Get-Credential
```
When I run this, I get the following error:
```
Get-Certificate : CertEnroll::CX509Enrollment::Enroll: Denied by Policy Module The request ID is 582. A certificate could not be issued by the certification authority: The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)
```
How can I modify the script to successfully request a new certificate based on a template?
4 Answers
If you're encountering issues with `Get-Certificate`, consider using the `certreq` command instead. It allows you to request certificates directly from your Windows CA and might offer the flexibility you need. You can check the official documentation [here](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1).
It looks like there’s a small mistake in how you're using the `Get-Certificate` command. The `Get-Credential` command doesn’t accept input through the pipeline. Instead, you should store your credentials in a variable like this:
```powershell
$cred = Get-Credential
Get-Certificate -Template "Templatename" -Credential $cred
```
This should help alleviate the issue with your script.
Regarding your error, it seems like the certificate template is missing some required information. If you try to manually request the certificate, it should indicate what’s required for the issuance, which might help you troubleshoot further.
While scripting is one way, it might not be the best option for this task. Here's what you can do instead:
1. On the certificate authority side, locate the template you're using, edit its settings, and check the "autoenroll" option in the security tab. This sets the template to be auto-enrollable.
2. Then, configure the autoenrollment policy on the client machines, possibly through Group Policy or via registry settings. Once set up, client machines will start automatically requesting certificates based on what templates have been permitted for autoenrollment.
This method is generally simpler and will let clients request certificates automatically without further scripts.
I appreciate the insight, this makes the process sound much easier!
This approach is definitely the way to go. Just remember to only enable autoenroll for templates you’re sure about.