Public/Get-PWSHCertreqCert.ps1

function Get-PWSHCertreqCert {
    <#
    .SYNOPSIS
        Retrieves an issued certificate from a CA by request ID.
    .DESCRIPTION
        Connects to the specified CA via WinRM and runs certreq -retrieve to download
        a previously-submitted certificate. Accepts pipeline input from Submit-PWSHCertreqCSR
        so a pending request object can be piped directly after an administrator approves it.

        When the request is still in Pending state the cmdlet returns an object with
        Status='Pending' and no Certificate. When the certificate has been issued the
        Certificate property carries the ASN.1-decoded certificate.
    .PARAMETER InputObject
        A request object with Profile, CAServer, and RequestID properties.
        Accepts output from Submit-PWSHCertreqCSR.
    .PARAMETER Profile
        The configuration profile. Required in the Direct parameter set.
    .PARAMETER CAFqdn
        The CA where the request was submitted. Required in the Direct parameter set.
    .PARAMETER RequestID
        The request ID to retrieve. Required in the Direct parameter set.
    .PARAMETER OutputCertPath
        Optional. When the certificate is issued, save the DER-encoded certificate to
        this local file path.
    .PARAMETER Credential
        Optional PSCredential for WinRM. Defaults to the current user.
    .EXAMPLE
        $pending | Get-PWSHCertreqCert
        Retrieves the certificate for a pending request returned by Submit-PWSHCertreqCSR.
    .EXAMPLE
        Get-PWSHCertreqCert -Profile 'prod-pki' -CAFqdn 'ca01.corp.local' -RequestID '42'
        Retrieves the certificate for request 42 directly.
    .EXAMPLE
        Get-PWSHCertreqCert -Profile 'prod-pki' -CAFqdn 'ca01.corp.local' -RequestID '42' `
            -OutputCertPath 'C:\certs\server01.cer'
        Retrieves the certificate and saves it to disk.
    .OUTPUTS
        PSCustomObject. Properties: Profile, CAServer, RequestID, Status, CertBase64,
        Certificate, RawOutput.
        Status is one of: Issued, Pending.
        Certificate (ASN.1-decoded PSCustomObject) is populated only when Status is Issued.
    #>

    [CmdletBinding(DefaultParameterSetName = 'Pipeline')]
    [OutputType([PSCustomObject])]
    param(
        [Parameter(Mandatory, ValueFromPipeline, ParameterSetName = 'Pipeline')]
        [object] $InputObject,

        [Parameter(Mandatory, ParameterSetName = 'Direct')]
        [string] $Profile,

        [Parameter(Mandatory, ParameterSetName = 'Direct')]
        [string] $CAFqdn,

        [Parameter(Mandatory, ParameterSetName = 'Direct')]
        [string] $RequestID,

        [Parameter()]
        [string] $OutputCertPath,

        [Parameter()]
        [pscredential] $Credential
    )

    process {
        if ($PSCmdlet.ParameterSetName -eq 'Pipeline') {
            $Profile   = $InputObject.Profile
            $CAFqdn    = $InputObject.CAServer
            $RequestID = $InputObject.RequestID
        }

        $config        = Read-ConfigFile
        $profileConfig = Get-ProfileConfig -Config $config -ProfileName $Profile

        $sessionArgs = @{ CAFqdn = $CAFqdn; RemotingConfig = $profileConfig.remoting }
        if ($PSBoundParameters.ContainsKey('Credential')) { $sessionArgs['Credential'] = $Credential }
        $session = Get-CASession @sessionArgs

        try {
            $result = Invoke-CertreqRetrieve -Session $session -RequestID $RequestID

            $certificate = $null
            if ($result.Status -eq 'Issued' -and $result.CertBase64) {
                $certificate = ConvertFrom-CertutilAsn1 -CertBase64 $result.CertBase64
                if ($PSBoundParameters.ContainsKey('OutputCertPath')) {
                    [IO.File]::WriteAllBytes($OutputCertPath, [Convert]::FromBase64String($result.CertBase64))
                    Write-Verbose "Certificate saved to $OutputCertPath"
                }
            }

            [PSCustomObject]@{
                Profile     = $Profile
                CAServer    = $CAFqdn
                RequestID   = $RequestID
                Status      = $result.Status
                CertBase64  = $result.CertBase64
                Certificate = $certificate
                RawOutput   = $result.RawOutput
            }
        } catch {
            Write-Error "Failed to retrieve certificate for RequestID $RequestID from '$CAFqdn': $_"
        }
    }
}