Active Directory Create Certificate for DSC usercredential Encryption/Decryption


Using a Server 2012R2 Active Directory infrastructure, with a Certificate Autority.

How can we create a certificate for encrypting credentials that follows:
Key Usage:
Must contain: ‘KeyEncipherment’ and ‘DataEncipherment’.
Should not contain: ‘Digital Signature’.
Enhanced Key Usage:
Must contain: Document Encryption (
Should not contain: Client Authentication ( and Server Authentication (

I requested a certificate from the certificate-responsible person. But he had problems signing a certificate of this kind. The error he got was “Denied by Policy Module” on the template on the CA server.

Any help/tips are welcome!



You’re going to have to make a custom template. None of the ADCS default templates (or those from other types of CA, for that matter) are set up for this - they need to be marked for Document Encryption, and not marked for Digital Signature or the other stuff mentioned.

If your CA is set up to not allow this in some fashion, then you’ve got to address that - but it’s not a PowerShell thing, obviously, its in your CA configuration.