This post summarizes the blog post series about certificate enrollment API (CertEnroll) and their usage in Windows PowerShell. The series covers all common enrollment API usage scenarios.

This post provides basic technical information about certificate requests, what they are, their structures and basic concepts.

In this post I'm talking about creating offline certificate requests with delayed submission (when client has no direct connection to CA server).

This post covers various ways how to submit request to Windows CA (both, Standalone and Enterprise), resolve issuance if the request is pending and how to install issued certificate to original client and associate it with generated private key.

This post describes the techniques how to enroll for a certificate for domain members by using certificate templates and Enterprise CA.

In this post I discuss about advanced enrollment called Enroll On Behalf Of another user. This method is usually used with smart card deployment.

This post provides some security information about request management and approval and exposes a useful techniques to create preconfigured self-signed certificates.

In addition, here are few real-life tasks that utilize CertEnroll in PowerShell:

This post covers how CertEnroll can be used to generate self-signed certificates for testing purposes.

This post shows techniques to configure remote IIS management with delegated (instead of default and insecure self-signed certificate) certificate from enterprise CA.


Share this article:



Hi Just wanted to say thanks or posting this series of blogs as I am in the process of learning more about this subject and sure I will find this information extremely useful Thanks Ernie

Vadims Podans

Thanks! If there is something else what I could explain, please, let me know.


Hello Vadims, Thanks for posting this series, I will read through it as it my help me any an issue I am working on. Great site Ernie


Hi Vadims.

First of all - thanks a lot for your blogs!

The problem i am trying to solve related to requesting certificate for non-domain joined Windows machine:

We have PKI with Offline Root CA, Issuing Enterprise CA, OCSP, Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service deployed and configured. It is working absolutely fine if i am requesting certificate manually. But i need to do it automatically, without any user intervention. I've tried to execute sequence of certreq commands from PowerShell, indicating Policy server URI in request, but whet i am doing certreq -new i am receiving message "Certificate template not found" where i need to click Yes, and then whole sequence completes successfully. Using -q does not help and just "click" No, and then sequense fails.

Then i've tried to find how to do it using .NET - no luck here. Then I've found your blog, there is a lot of information how to do certificate request to CA directly, but not via CEP and CES. I must use CEP and CES to aquire computer certificate, which will be used to establish VPN connection, because direct access to CA allowed only for Domain joined computers. I do not have another options in this place - for non domain joined machines (placed in "Staging", or build, environment) firewall can be opened only to those 2 servers (CEP and CES). After computer aquires it's certificate, it will be moved to another environment, VPN coonnection will be established (using this certificate), computer will be joined to domain and then it will be able to access CA to request new certificate or renew existing.

So there is 2 option i see:

1. Solve "Certificate template not found" issue using certreq, but all what i found tells it is not possible (even seen it in one of your posts - "Expected behaviour" you said

2. Solve it using .NET (is possible) or your suggested method using ICertRequest2 object, but looking at links to MSDN you've provided, it does not have options to provide CEP URI in request.


Really waiting for your response, Vadims. You have my email, so you can respond there.

Thank you.


Hi again. Just found (using WireShark) that certreq does not contacting CEP server during certificate request process, although it's URI indicated in parameters. It talks to CES only. I think this is why i am getting message "Template not found.  Do you wish to continue anyway?" when callng Invoke-Expression "c:\Windows\System32\certreq.exe -new .\cert.inf .\cert.req"

Invoke-Expression "c:\Windows\System32\certreq.exe -f -submit -Username $DomUser -p $DomPass -PolicyServer $CEPPolicyServer -config $CESConfig .\cert.req .\$fqdn.cer"


Any ideas how to force certreq to use CEP server?

Vadims Podāns

You can't do anything with dialog boxes raised by certreq. However, as you assumed, you can use ICertRequest3::Submit method and specify CES server location in the strConfig parameter.

Represents a valid configuration string for the Certificate Services server. The string can be either an HTTPS URL for an enrollment server...

Prior to invoking this method, you may need to call ICertRequest3::SetCredential method to provide credentials.

> Just found (using WireShark) that certreq does not contacting CEP server during certificate request process

this is because (most likely), CES information is cached on the client. When you contact CEP server first, it responds to you with templates and CES pointers. This information is cached on client (default is 8 hours) and client do not contact CEP server until the cache expires.


Hi Vadims.

Thank you for response. I'll try this approach.

Regarding CEP communication - I've cleared cache and in registry CEP information also was not set.


Hi Vadims,

thanks a ton for publishing this rich info. Learned a lot about scripting certificate requests!


Post your comment:

Please, solve this little equation and enter result below. Captcha