Part 4: Duplicate Certificate Fix

Note that commands copy pasted from this page may need formatting metadata scrubbed and may contain unintended spaced.

Stop Duplicate Certificates from Being Generated

To stop the duplicate certificates from being generated, perform the following steps:

  1. In the EJBCA Adm Web, click System Configuration > Custom Certificate Extensions.
  2. In Object Identifier (OID), enter
  3. In Label, enter User Certificate Template Information and click Add.
  4. Click Edit on the object previously added.
  5. Select the Encoding to DEROBJECT.
  6. Enable Dynamic.
  7. Open PowerShell on the CS Host and run the following to get the Certificate Template OIDs:
    Certutil -catemplates -v | select-string displayname,msPKI-Cert-Template-OID
  8. Copy the portion of the user template OID string following "". 
  9. Paste the string in the Value field.
    For example, for the following OID:
    paste the following in the Value field:
  10. Click Save.
  11. Repeat these steps for the computer auto enrollment template, specifying Computer Certificate Template Information as the label, and obtaining the value from the computer template OID.

Enable Custom Extensions in Certificate Profile

To enable the Custom Extensions in the Certificate Profile, perform the following steps:

  1. Click CA Functions > Certificate Profiles.
  2. Clone from the ENDUSER Certificate Profile, giving it a name such as User_Certificate_Profile (or select the Certificate Profile already being used).
  3. Edit the User_Certificate_Profile.
  4. Key Usage: Digital Signature, Non-repudiation, and Key encipherment (if not already selected).
  5. Extended Key Usage: Client Authentication, Email Protection, and MS Encrypted File System (EFS).
  6. Used Custom Certificate Extensions: Certificate Template Information.
  7. Available CAs: Issuing CA.