Once you have created the certificates, you need to make them available for issuance. You also need permit the serialNumber to be added to the Subject DN of issued certificates and permit the piv-interim extension in issued certificates.
There are four steps to make the PIV certificates available for Issuance.
Make the PIV certificate available for issuance
1. On the Microsoft CA machine, go to Start > Windows Administrative Tools > Certification Authority.
2. Click your certification authority to expand the root folder.
3. Right-click Certificate Templates, and then select New > Certificate Template to Issue. The Enable Certificate Templates dialog box appears.
4. Select PIV - PIV Authentication and click OK.
Repeat this process for the following certificate templates:
● PIV - Card Authentication
● PIV - Digital Signature
● PIV - Key Management
● PIV - Content Signer (device)
5. Permit the serialNumber to be added to the SubjectDN of issued certificates, as follows:
a. Open a command window. If you are not logged in as administrator, do the following:
i) Go to your Windows Accessories (Windows System).
ii) Right-click Command Prompt > More and click Run as Administrator.
iii) Click Yes in the User Account Control windows that pops-up.
b. Display the list of permitted RDN components in the order that they will appear in the Subject DN of issued certificates using the following command:
certutil -getreg ca\SubjectTemplate
c. Your output should be similar to the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\msca\SubjectTemplate:
SubjectTemplate REG_MULTI_SZ =
0: EMail
1: CommonName
2: OrganizationalUnit
3: Organization
4: Locality
5: State
6: DomainComponent
7: Country
CertUtil: -getreg command completed successfully
d. If your output is identical to what is shown above, enter the following command to add the DeviceSerialNumber RDN in this list in the correct position (this command replaces the entire list with a new one):
certutil -setreg ca\SubjectTemplate "EMail\nDeviceSerialNumber\nCommonName\nOrganizationalUnit\nOrganization\nLocality\nState\nDomainComponent\nCountry"
Note: If your output looks different, review it and alter the certutil -setreg command to add the DeviceSerialNumber immediately before CommonName in the list passed to this command.
6. Permit the piv.interim extension in issued certificates, as follows:
7. Enter the following command to add the Object Identifier (OID) for the piv-interim extensions to the list of extension OIDs that are permitted in certificate requests:
certutil -setreg policy\EnableRequestExtensionList +2.16.840.1.101.3.6.9.1
8. Restart the Active Directory Certificate Services for this to change to take effect.