diff --git a/CHANGELOG.md b/CHANGELOG.md
index e45fce7..60c7c35 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,12 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) loos
## Unreleased
+## 2026.06.04.2335
+
+- Build produced from commit 3c39a99b9a4c.
+
+## Unreleased (carried forward)
+
## 2026.06.04.2305
- Build produced from commit 485ee8a7dd6a.
diff --git a/Module/PSInfisicalAPI/PSInfisicalAPI.psd1 b/Module/PSInfisicalAPI/PSInfisicalAPI.psd1
index 107de99..0f9f952 100644
--- a/Module/PSInfisicalAPI/PSInfisicalAPI.psd1
+++ b/Module/PSInfisicalAPI/PSInfisicalAPI.psd1
@@ -1,6 +1,6 @@
@{
RootModule = 'PSInfisicalAPI.psm1'
- ModuleVersion = '2026.06.04.2305'
+ ModuleVersion = '2026.06.04.2335'
GUID = 'b8a2f3d4-7c51-4d2f-9e6a-1f0c8b3d4e51'
Author = 'Grace Solutions'
CompanyName = 'Grace Solutions'
@@ -63,7 +63,7 @@
LicenseUri = 'https://www.gnu.org/licenses/agpl-3.0.html'
ProjectUri = 'https://prod.git.gracesolution.info/gsadmin/PSInfisicalAPI'
ReleaseNotes = 'See CHANGELOG.md in the project repository for release history.'
- CommitHash = '485ee8a7dd6a'
+ CommitHash = '3c39a99b9a4c'
}
}
}
\ No newline at end of file
diff --git a/Module/PSInfisicalAPI/bin/PSInfisicalAPI.dll b/Module/PSInfisicalAPI/bin/PSInfisicalAPI.dll
index b6e72de..babeb12 100644
Binary files a/Module/PSInfisicalAPI/bin/PSInfisicalAPI.dll and b/Module/PSInfisicalAPI/bin/PSInfisicalAPI.dll differ
diff --git a/Module/PSInfisicalAPI/bin/en-US/PSInfisicalAPI.dll-Help.xml b/Module/PSInfisicalAPI/bin/en-US/PSInfisicalAPI.dll-Help.xml
index ffdcffb..c39f22b 100644
--- a/Module/PSInfisicalAPI/bin/en-US/PSInfisicalAPI.dll-Help.xml
+++ b/Module/PSInfisicalAPI/bin/en-US/PSInfisicalAPI.dll-Help.xml
@@ -1477,33 +1477,130 @@ $UninstallInfisicalCertificateResult = Uninstall-InfisicalCertificate @Uninstall
+
+
+ Get-InfisicalCertificateApplication
+ Lists or retrieves an Infisical Certificate Manager Application from the active project.
+ Get
+ InfisicalCertificateApplication
+
+
+ Reads Infisical certificate-manager Applications (the join target used by EST/ACME/SCEP profile attachments) using the active connection's project scope. The List parameter set returns all applications visible to the caller; the ById and ByName sets return a single application. ProjectId falls back to the active connection when omitted.
+
+
+
+ EXAMPLE 1
+ Get-InfisicalCertificateApplication
+ Lists certificate-manager applications for the active project.
+
+
+ EXAMPLE 2
+ Get-InfisicalCertificateApplication -ApplicationName 'workstation-mdm'
+ Retrieves a single application by name.
+
+
+ EXAMPLE 3
+ $GetInfisicalCertificateApplicationParameters = New-Object -TypeName 'System.Collections.Specialized.OrderedDictionary' -ArgumentList ([System.StringComparer]::OrdinalIgnoreCase)
+$GetInfisicalCertificateApplicationParameters.Id = $ApplicationId
+$GetInfisicalCertificateApplicationParameters.ProjectId = $ProjectId
+$GetInfisicalCertificateApplicationParameters.Verbose = $True
+
+$GetInfisicalCertificateApplicationResult = Get-InfisicalCertificateApplication @GetInfisicalCertificateApplicationParameters
+ Retrieves a single application by id from an explicit project.
+
+
+
+
+
+
+ Get-InfisicalCertificateApplicationEnrollment
+ Retrieves the API/EST/ACME/SCEP enrollment configuration attached to an application/profile pair.
+ Get
+ InfisicalCertificateApplicationEnrollment
+
+
+ Returns the InfisicalCertificateApplicationEnrollment for the given application and certificate profile, including any configured SCEP sub-block (server URL, RA certificate PEM, computed SHA-1 RaCertificateThumbprint, challenge type, and challenge endpoint URL when dynamic).
+
+
+
+ EXAMPLE 1
+ Get-InfisicalCertificateApplicationEnrollment -ApplicationId $AppId -ProfileId $ProfileId
+ Fetches the enrollment configuration for an application/profile pair.
+
+
+ EXAMPLE 2
+ $GetInfisicalCertificateApplicationEnrollmentParameters = New-Object -TypeName 'System.Collections.Specialized.OrderedDictionary' -ArgumentList ([System.StringComparer]::OrdinalIgnoreCase)
+$GetInfisicalCertificateApplicationEnrollmentParameters.ApplicationId = $ApplicationId
+$GetInfisicalCertificateApplicationEnrollmentParameters.ProfileId = $ProfileId
+$GetInfisicalCertificateApplicationEnrollmentParameters.Verbose = $True
+
+$GetInfisicalCertificateApplicationEnrollmentResult = Get-InfisicalCertificateApplicationEnrollment @GetInfisicalCertificateApplicationEnrollmentParameters
+ Retrieves the enrollment configuration and feeds it downstream to Get-InfisicalScepMdmProfile.
+
+
+
+
+
+
+ New-InfisicalScepDynamicChallenge
+ Generates a one-time SCEP challenge from an application/profile that is configured with dynamic challenge mode.
+ New
+ InfisicalScepDynamicChallenge
+
+
+ POSTs to /scep/applications/{applicationId}/profiles/{profileId}/challenge and returns the minted challenge as a SecureString. Use -AsPlainText to return a string instead. Requires the active machine identity to have read access on certificate-application-enrollment, and the target SCEP profile must be set to challengeType=dynamic. Dynamic challenges are an Enterprise-tier feature on managed Infisical deployments.
+
+
+
+ EXAMPLE 1
+ $Challenge = New-InfisicalScepDynamicChallenge -ApplicationId $AppId -ProfileId $ProfileId
+ Mints a single-use SCEP challenge and stores it as a SecureString.
+
+
+ EXAMPLE 2
+ $NewInfisicalScepDynamicChallengeParameters = New-Object -TypeName 'System.Collections.Specialized.OrderedDictionary' -ArgumentList ([System.StringComparer]::OrdinalIgnoreCase)
+$NewInfisicalScepDynamicChallengeParameters.ApplicationId = $ApplicationId
+$NewInfisicalScepDynamicChallengeParameters.ProfileId = $ProfileId
+$NewInfisicalScepDynamicChallengeParameters.AsPlainText = $True
+$NewInfisicalScepDynamicChallengeParameters.Verbose = $True
+
+$NewInfisicalScepDynamicChallengeResult = New-InfisicalScepDynamicChallenge @NewInfisicalScepDynamicChallengeParameters
+ Mints a plain-text challenge for use in environments where SecureString is inconvenient.
+
+
+
+
Get-InfisicalScepMdmProfile
- Builds an Infisical SCEP MDM profile model from a certificate profile, suitable for SyncML export or local MDM enrollment.
+ Builds an Infisical SCEP MDM profile model from an application enrollment, certificate profile, or fully manual inputs.
Get
InfisicalScepMdmProfile
- Projects an InfisicalCertificateProfile (pipeline-bound) into an InfisicalScepMdmProfile that mirrors the Windows ClientCertificateInstall/SCEP CSP node set. -Challenge is accepted as a SecureString and decrypted into the model only at write-time. -ServerUrl defaults to {baseUri}/scep/{profileId}/pkiclient.exe derived from the active connection. -UniqueId defaults to a sanitized form of the source profile slug. KeyAlgorithm and EkuMapping are inherited from the source profile defaults unless overridden.
+ Produces an InfisicalScepMdmProfile that mirrors the Windows ClientCertificateInstall/SCEP CSP node set. FromEnrollment (default) consumes an InfisicalCertificateApplicationEnrollment and auto-fills ServerUrl from scep.scepEndpointUrl and CAThumbprint from the RA certificate; if the enrollment is configured for dynamic challenge mode, a fresh challenge is minted automatically when -Challenge is not supplied. FromProfile keeps the legacy projection from an InfisicalCertificateProfile and now requires -ApplicationId so the server URL can be built against /scep/applications/{appId}/profiles/{profileId}/pkiclient.exe. Manual requires explicit -ServerUrl, -Challenge, and -UniqueId.
Notes
- The SCEP endpoint URL ends in 'pkiclient.exe' for RFC 8894 / Cisco SCEP client compatibility. The source profile must have SCEP enrollment enabled on the server side for enrollment to succeed; this cmdlet does not validate that.
+ The SCEP endpoint URL ends in 'pkiclient.exe' for RFC 8894 / Cisco SCEP client compatibility. SecureString -Challenge is decrypted into the model only at write-time.
EXAMPLE 1
- Get-InfisicalCertificateProfile -CertificateProfileId $ProfileId | Get-InfisicalScepMdmProfile -Challenge (Read-Host -AsSecureString 'SCEP challenge')
- Builds a default SCEP MDM profile with the server URL inferred from the active connection.
+ Get-InfisicalCertificateApplicationEnrollment -ApplicationId $AppId -ProfileId $ProfileId | Get-InfisicalScepMdmProfile
+ Builds a SCEP MDM profile from an enrollment, auto-resolving ServerUrl, CAThumbprint, and (for dynamic mode) the challenge.
EXAMPLE 2
+ Get-InfisicalCertificateProfile -CertificateProfileId $ProfileId | Get-InfisicalScepMdmProfile -ApplicationId $AppId -Challenge (Read-Host -AsSecureString 'SCEP challenge')
+ Builds a profile from a certificate profile (legacy path) with an explicit application id and static challenge.
+
+
+ EXAMPLE 3
$GetInfisicalScepMdmProfileParameters = New-Object -TypeName 'System.Collections.Specialized.OrderedDictionary' -ArgumentList ([System.StringComparer]::OrdinalIgnoreCase)
-$GetInfisicalScepMdmProfileParameters.InputObject = (Get-InfisicalCertificateProfile -CertificateProfileId $ProfileId)
-$GetInfisicalScepMdmProfileParameters.Challenge = (Read-Host -AsSecureString 'SCEP challenge')
+$GetInfisicalScepMdmProfileParameters.EnrollmentObject = $Enrollment
$GetInfisicalScepMdmProfileParameters.UniqueId = 'WindowsClientAuth'
$GetInfisicalScepMdmProfileParameters.Scope = 'Device'
$GetInfisicalScepMdmProfileParameters.SubjectName = "CN=$($env:COMPUTERNAME)"
@@ -1514,7 +1611,7 @@ $GetInfisicalScepMdmProfileParameters.ValidPeriodUnits = 1
$GetInfisicalScepMdmProfileParameters.Verbose = $True
$GetInfisicalScepMdmProfileResult = Get-InfisicalScepMdmProfile @GetInfisicalScepMdmProfileParameters
- Builds a device-scope SCEP MDM profile with explicit subject and key parameters for downstream export or local enrollment.
+ Builds a device-scope SCEP MDM profile from an enrollment with overridden subject and key parameters.