Now – Powershell see's the @ symbol as an operator (array?) and therefore this command only works if i use single quotes before the @ and at the end of the line (and using actual values for hostname and thumbprint, but doing so means that my two variables $hostname and $thumbprint are taken as literals.
one thing that I don't seem to be able to do is to execute this command remotely (in my case via VMware PowerCLi Invoke-VMScript) – i get Access Denied. I'm able to generate the self-signed certificate without an issue.
Is there a limitation on the WSMan:\ namespace that means it can't be manipulated remotely?