MS Enterprise ADCS templates do not support custom extensions, e.g. Qualified Statements.
The only way to include such extension is by adding it to the certificate request (pkcs10).
To allow custom extension processing, we need to edit the registry and change the following key:
EnableEnrolleeRequestExtensionList which specifies the list of extensions that should be processed when we use an offline request (i.e. when the subject DN is build from the request and not from the AD).
Better than changing the registry directly, is to run this from the command line:
certutil -setreg policy\EnableEnrolleeRequestExtensionList +1.3.6.1.5.5.7.11
or any other oid.
Use - instead of + to remove an extension from the list.
Read more here:
Tags
ADCS