PowerShell PKI Module Documentation

This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)



Installs Certificate Enrollment Policy Service (CEP) instance on a local computer.


Add-CertificateEnrollmentPolicyService [[-Authentication] <String> {UsrPwd | Kerberos | Certificate} ] [[-Thumbprint] <String>] [<CommonParameters>]


Installs Certificate Enrollment Policy Service (CEP) instance an a local computer and configures IIS web application. This command supports only Windows Server 2008 R2 and newer operating systems.


-Authentication <String>

Specifies authentication type for communication. Possible values are: Kerberos, UsrPwd or Certificate. Kerberos is used by default.

Required? False
Position? 0
Default value Kerberos
Accept pipeline input? false
Accept wildcard characters? False

-Thumbprint <String>

Specifies SSL certificate thumbprint. If this parameter is omitted, the command will try to enroll for a new SSL certificate from an Enterprise CA. The command will attempt to enroll for a certificate based on either, 'Computer' (if the local computer is member server) or 'Domain Controller' (if the local computer is domain controller) certificate template.

Required? False
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False


This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).







Example 1

PS C:\> Add-CertificateEnrollmentPolicyService

Running the command without parameters, will install the Certificate Enrollment Policy Service instance with the default Kerberos authentication. If no valid SSL certificate is found, the new one will be requested and assigned for CEP service.

Example 2

PS C:\> Add-CertificateEnrollmentPolicyService -Authentication Certificate -Thumbprint "D485FFFD6C2CBC161667087B3209CCD765A32544"

In this example CEP server will be configured to use Certificate authentication. In addition, IIS Default Web Site will be configured to use SSL certificate with thumbprint 'D485FFFD6C2CBC161667087B3209CCD765A32544'. The certificate must be stored in LocalMachine store and have a private key.

Related links


Minimum PowerShell version support

  • PowerShell 3.0

Operating System Support

  • Windows Server 2008 R2 all editions