An object identifier must describe every application and issuance policy that you define. The inclusion of an issuance policy object identifier in an issued certificate indicates that the certificate was issued in a manner that meets the issuance requirements associated with the issuance policy object.

Issuance or application policies by default are not critical. Making them critical can help ensure that a certificate is not used improperly. However, it also increases the likelihood that the certificate may not be compatible with all applications.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To make issuance or application policy critical
  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the Extensions tab, click Issuance Policies or Application Policies, and then click Edit.

  4. Select the Make this extension critical check box.

  5. Click OK.

Additional considerations

  • Clients must be re-enrolled to receive a certificate based on the changed template if they already have a valid certificate based on the old template. For more information, see Re-Enroll All Certificate Holders.

Additional references