Partilhar via


How to exclude the certificate template name from certificates to be issued

By default, a Windows CA enterprise CA adds information about the used certificate template to issued certificates. These certificate attributes are especially important to perform certificate autoenrollement. However, in heterogeneous environments you may have the requirement not to include the certificate template names in certificates.

To avoid adding the certificate templates information into newly issued certificates, perform the following commands with administrator permissions on your enterprise CA at a command-line:

certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7
net stop certsvc
net start certsvc

The configuration change applies CA wide and does not affect already issued certificates. Remember that autoenrollment will break if you add the OIDs to the list of disabled extensions. You must not apply this change on a CA where clients enroll certificates automatically from.

To add the template certificate name to issued certificates again, remove the OIDs from the list of disabled extensions. Perform these commands with administrator permissions on your enterprise CA:

certutil -setreg policy\DisableExtensionList -1.3.6.1.4.1.311.20.2
certutil -setreg policy\DisableExtensionList -1.3.6.1.4.1.311.21.7
net stop certsvc
net start certsvc

For a complete List of OIDs used by the Microsoft cryptography, see the following Knowledge base article: https://support.microsoft.com/kb/287547/en-us.