Create an authentication template for generating the client keystore. For example, you can copy an existing template and configure it as explained below.

To create a client authentication template for Microsoft CA

1. Log in to the Microsoft CA server machine.
2. Press Win + R to open the Run dialog.
3. Type "mmc” and press Enter to open the Microsoft Management Console.
4. Go to Certificate Authority.
5. Right-click Certificate Templates and select Manage.
   
6. Right-click the User template and select Duplicate Template.
   
7. In the template properties dialog, configure the settings described below.
   • General
   • Security
   • Subject Name
   • Extensions
8. Click OK to close the dialog.
9. Go to Certificate Authority.
10. Right-click Certificate Templates and select New >Certificate Template to Issue.
11. Select Client Authentication from the list.

General

In this tab, set Template display name to Client Authentication.

Security 

In this tab:

• Grant necessary permissions to a user group – for example, click Read, Write, Enroll for the Domain Admins group. 
• Deselect the Write and Enroll permissions from the Authenticated Users group. 
• Remove unnecessary groups.

Subject Name

In this tab, enable the Supply in request radio button.

Click OK to close the warning pop-up message.

Extensions

In this tab, edit Application Policies and remove:

• Encrypting File System
• Secure Email