Request a CA certificate using the WebServer template and configure Recording Server to use it to secure client connections

RequestAndInstallCertificate.ps1

function Set-CertificatePermission {
    [CmdletBinding()]
    param(
        [string]
        $CertificatePath,
        [string]
        $UserName,
        [string]
        $Permission
    )

    $certificate = Get-ChildItem $CertificatePath
    if ($null -eq $certificate) {
        throw "Certificate not found"
    }

    try {
        $rule = New-Object Security.AccessControl.FileSystemAccessRule $UserName, $Permission, allow
        $root = "c:\programdata\microsoft\crypto\rsa\machinekeys"
        $keyname = $certificate.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
        $path = Join-Path $root $keyname
        if (Test-Path $path) {
            $acl = Get-Acl $path
            $acl.AddAccessRule($rule)
            Set-Acl $path $acl
        }
    } catch {
        throw
    }
}

try {
    $fqdn = [System.Net.Dns]::GetHostByName($env:computerName).HostName
    $filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$env:COMPUTERNAME))"
    $subject = ([adsisearcher]$filter).FindOne().Properties.distinguishedname
    $result = Get-Certificate -Template WebServer -DnsName $fqdn -SubjectName $subject -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Stop
    if ($result.Status -eq "Issued") {
        $recInfo = Get-RecorderConfig -ErrorAction Stop
        Set-CertificatePermission -userName $recInfo.ServiceInfo.Identity -permission read -CertificatePath "Cert:\LocalMachine\My\$($result.Certificate.Thumbprint)" -ErrorAction Stop
        
        Set-RecorderConfig -ClientEncryptionCertHash $result.Certificate.Thumbprint
        $result.Certificate.Thumbprint
    } 
} catch {
    throw
}