Hello AdamTyler-3590,
Thank you for posting in Q&A forum.
I think you are right. As the description in event ID 20 you mentioned and the description in screenshot or below.
By default, the Active Directory CA provides and publishes the Kerberos Authentication certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers.
Also, I have done a test in my lab.
This certificate is issued using Domain Controller Authentication certificate template.
This certificate is issued using Kerberos Authentication certificate template.
Here are three DNS names in the SAN field of the certificate
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.