First published on TECHNET on Jan 03, 2007
By default, a Windows CA enterprise CA adds information about the used certificate template to issued certificates. These certificate attributes are especially important to perform certificate autoenrollement. However, in heterogeneous environments you may have the requirement not to include the certificate template names in certificates.
To avoid adding the certificate templates information into newly issued certificates, perform the following commands with administrator permissions on your enterprise CA at a command-line:
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7
net stop certsvc
net start certsvc
The configuration change applies CA wide and does not affect already issued certificates. Remember that autoenrollment will break if you add the OIDs to the list of disabled extensions. You must not apply this change on a CA where clients enroll certificates automatically from.
To add the template certificate name to issued certificates again, remove the OIDs from the list of disabled extensions. Perform these commands with administrator permissions on your enterprise CA:
certutil -setreg policy\DisableExtensionList -1.3.6.1.4.1.311.20.2
certutil -setreg policy\DisableExtensionList -1.3.6.1.4.1.311.21.7
net stop certsvc
net start certsvc
For a complete List of OIDs used by the Microsoft cryptography, see the following Knowledge base article: http://support.microsoft.com/kb/287547/en-us .
