You use the thumbprint and store name to get the matching certificate.

Your initial code does not get a cert it is used to request a new cert using a template.

PS C:\scripts> $cert=Get-Item cert:\LocalMachine\My\026AF812C3D06F7E1030345264912696C1E971C5
PS C:\scripts> $cert|select *

Excellent - well at one level! :-)

I tried this:

Get-Certificate -Template WebServer -CertStoreLocation cert:\LocalMachine\My -DNSName 'Srv2.Reskit.Org'

It no longer gave the X500 name issue error, but now I get:

Get-Certificate: You do not have permission to request this type of certificate.: The permissions on the certificate template do not allow the current user to enroll for this type of certificate

This is being run as administrator (Enterprise Admin).

Excellent - well at one level! :-)

I tried this:

Get-Certificate -Template WebServer -CertStoreLocation cert:\LocalMachine\My -DNSName 'Srv2.Reskit.Org'

It no longer gave the X500 name issue error, but now I get:

Get-Certificate: You do not have permission to request this type of certificate.: The permissions on the certificate template do not allow the current user to enroll for this type of certificate

This is being run as administrator (Enterprise Admin).

As the original post stated, I am trying to get a certificate from a Certificate Authority (I have a CA on another server) so that I can then use it for SSL to secure PSWA.

I know how to set the SSL bindings and to associate the right thumbprint     to point to the correct certificate.

What I am thus far unable to do is to write a PowerShell script that gets that certificate. I can do this using the IIS manager, but want an automation solution, preferably using PowerShell.

As explained in another post in this thread, I've fixed the original problem but still can not automate getting the cert.

Getting a certificate from a webserver is not the same as requesting a new certificate from a template.

You do not have permission to request certificates of the type you are requesting.  Have the CA grant you permission to request that kind of cert.

use explicit credentials in the re

Getting a certificate from a webserver is not the same as requesting a new certificate from a template.

You do not have permission to request certificates of the type you are requesting.  Have the CA grant you permission to request that kind of

You are assuming that the CA has already granted you permission.  You are also assuming that the permission for the "WebServer" template has been granted.  Is there a template called "WebServer".  I am pretty sure the default SSL certificate template is called "SSLWebServer" but you can define any names you want for your templates.

Here is the example that most closely matches your reuiremetns:

PS C:\> $enrollResult = Get-Certificate -Template SslWebServer -DnsName www.contoso.com-Url https://www.contoso.com/policy/service.svc-Credential $cert -CertStoreLocation cert:\LocalMachine\My

I have a 2012 R2 enterprise CA setup in a default setup, so yes, I assumed that I could use it go get a cert. And I CAN get a cert using the GUI on a separate domain joined server, so yes, I assume I have the permissions. 

I  also tried to get a cert for SSLWebServer, but as expected I get an error 'The requested certificate Template is not supported by this CA'. That error does not occur using  WebServer template. Running CertUtil.exe -Template or CertUtil -CATemplates show WebServer and not SSLWebServer.

In this case, the example in the help text you quoted appears to be incorrect.

I also tried adding a credential, but that just gives an empty error message.

Have you tested the suggestions you are making?

I cannot test you environment but I can suggest that you post in the Cert Server  forum as they will have more information on how to analyze you issues.