Currently I have 2 user certificates installed on my local certificate store, issued by the same Issuing CA.
They both have the "Intended Purpose" Client Authentication enabled.
I would like to know if there is a way to, programmatically, disable this "purpose" on my certificate.
I'm able to do that using the mmc console, opening the certificate properties and on the "Certificate Purposes" I select "Enable only the following purposes", and then unselect "Client Authentication" . Is there any solution to do this by script?
Thanks in advance for your help.
You are attacking this from the wrong end of the process.
The correct way is to configure the certificate template prior to certificate issuance.
Yes, I know that.
But the issue is there and the certificates are in production, deployed in thousands of users.
So, this is supposed to be a workaround.
And no, I cannot re-issue new certificates and delete the old ones as we use them to encrypt emails.
If we do so, users will no longer be able to read old encrypted emails.
That's why the workaround would be to remove client authentication from one of the certificates.