Remove Enrollee Supplies Subject Flag from Templates
Ensure certificate templates do not allow users to supply their own subject information.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
The CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is removed from certificate templates.
Source: ASD Information Security Manual (ISM)
Plain language
This control ensures that when people apply for digital certificates, which are like digital ID cards, they can't fill in their own personal information. It’s important because if this step isn’t followed, someone might pretend to be someone else, leading to potential fraud or security breaches.
Why it matters
If users can supply subject details in templates, certificates can be issued with spoofed identities, enabling unauthorised access to systems and data.
Operational notes
Periodically review certificate templates and confirm CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is removed, so enrollee-supplied subject names cannot be used.
Implementation tips
- System owners should review current digital certificate templates to ensure they don't allow users to provide their own personal information. They can do this by checking the settings in their Microsoft Active Directory Certificate Services (AD CS) management console, focusing on the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT setting.
- IT administrators should update the certificate template settings to remove any option that lets users fill in their own details. This involves accessing the template properties in the AD CS and unchecking the specific flag that allows enrollee supplies for subject information.
- Managers should organise training sessions for staff involved in certificate management to ensure they understand the importance of these changes. This training can be a webinar or a workshop, explaining why strict control over certificate issuance is necessary.
- Security officers should regularly verify that the correct settings are applied to all templates. They can do this by setting up periodic checks within their security audits to confirm compliance with this control.
- Procurement teams should ensure that any external IT service providers also comply with these requirements. They can include specific clauses in contracts that mandate alignment with this certificate management control.
Audit / evidence tips
-
Ask: the current list of certificate templates used in the organisation
Good: shows a complete absence of this option on all templates
-
Good: audit result confirms these changes were made and documented
-
Ask: training records or agendas showing that staff responsible for certificate management received updated training
Good: is evidence of completed training sessions with an overview of topics covered
-
Good: includes specific clauses about removing user-specified subject information
-
Ask: the results of recent internal security audits that covered certificate template configuration
Good: shows a positive audit result, indicating compliance
Cross-framework mappings
How ISM-1945 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.16 | ISM-1945 requires the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag to be removed from certificate templates so users cannot supply their own ce... | |