Creating a PowerShell script to automatically renew user certificates


We use user certificates for authenticating to various services, but the certificates expire after a year unless renewed manually. I am attempting to create a logon script that will detect if the certificate is about to expire and renew it proactively.

The manual process we use currently is having the user log in, launching certmgr.msc, expanding Personal > Certificates, right-clicking the certificate, All Tasks > Renew Certificate with New Key (or Request New if it's already expired).

    cd cert:\
    $certs = Get-ChildItem -Recurse -ExpiringInDays 180 | Where subject -Like "*(foo)*"
    if ($certs)
        ForEach ($cert in $certs)
            certreq -enroll -user -q -policyserver * $cert.thumbprint renew

I ran this successfully once, but I get the following error when I run the script:

Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMATER)

I get the same result if enter garbage data or identify the certificate by serial number or thumbprint. The script is able to reliably find the certificate I want, but the certreq command is failing.

Any advice is greatly appreciated.

asked on Stack Overflow Aug 9, 2019 by triggrhappy0 • edited Aug 10, 2019 by Theo

1 Answer


-cert parameter missing

Get-ChildItem cert:\ -Recurse -ExpiringInDays 180 | Where subject -Like "*(foo)*" | % {
   certreq -enroll -user -q -policyserver * -cert $($_.thumbprint) renew
answered on Stack Overflow May 12, 2020 by Alex

User contributions licensed under CC BY-SA 3.0