Remove Enrollee Supplies Subject Flag from Templates
Ensure certificate templates do not allow users to supply their own subject information.
Plain language
This control ensures that when people apply for digital certificates, which are like digital ID cards, they can't fill in their own personal information. It’s important because if this step isn’t followed, someone might pretend to be someone else, leading to potential fraud or security breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is removed from certificate templates.
Why it matters
If users can supply subject details in templates, certificates can be issued with spoofed identities, enabling unauthorised access to systems and data.
Operational notes
Periodically review certificate templates and confirm CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is removed, so enrollee-supplied subject names cannot be used.
Implementation tips
- System owners should review current digital certificate templates to ensure they don't allow users to provide their own personal information. They can do this by checking the settings in their Microsoft Active Directory Certificate Services (AD CS) management console, focusing on the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT setting.
- IT administrators should update the certificate template settings to remove any option that lets users fill in their own details. This involves accessing the template properties in the AD CS and unchecking the specific flag that allows enrollee supplies for subject information.
- Managers should organise training sessions for staff involved in certificate management to ensure they understand the importance of these changes. This training can be a webinar or a workshop, explaining why strict control over certificate issuance is necessary.
- Security officers should regularly verify that the correct settings are applied to all templates. They can do this by setting up periodic checks within their security audits to confirm compliance with this control.
- Procurement teams should ensure that any external IT service providers also comply with these requirements. They can include specific clauses in contracts that mandate alignment with this certificate management control.
Audit / evidence tips
-
Askthe current list of certificate templates used in the organisation
Goodshows a complete absence of this option on all templates
-
Goodaudit result confirms these changes were made and documented
-
Asktraining records or agendas showing that staff responsible for certificate management received updated training
Goodis evidence of completed training sessions with an overview of topics covered
-
Goodincludes specific clauses about removing user-specified subject information
-
Askthe results of recent internal security audits that covered certificate template configuration
Goodshows a positive audit result, indicating compliance
Cross-framework mappings
How ISM-1945 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.16 | ISM-1945 requires the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag to be removed from certificate templates so users cannot supply their own ce... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.