Encryption certificates must contain Data Encipherment or Key Encipherment
You can use the New-SelfSignedCertificate cmdlet to generate the self signed certificate as well. I wrote this module which will help generate a certificate as required by DSC https://github.com/nanalakshmanan/xDSCUtils
I found the blog post PowerShell V5 New Feature: Protect/Unprotect-CmsMessage by Keith Hill, which doesn't directly relate to this issue but it does show how to define a certificate request file that contains the Document Encryption key usage.
I now generate a self signed certificate using the following request inf:
[Version]Signature = "$Windows NT$"[Strings]szOID_ENHANCED_KEY_USAGE = "2.5.29.37"szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"[NewRequest]Subject = "CN=test.dsc"KeyLength = 2048MachineKeySet = trueRequestType = CertKeySpec = AT_KEYEXCHANGEKeyUsage = CERT_KEY_ENCIPHERMENT_KEY_USAGE[Extensions]%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"