Index: cackey.c
==================================================================
--- cackey.c
+++ cackey.c
@@ -3958,11 +3958,11 @@
 static struct cackey_identity *cackey_read_identities(struct cackey_slot *slot, unsigned long *ids_found) {
 	struct cackey_pcsc_identity *pcsc_identities;
 	struct cackey_identity *identities;
 	unsigned long num_ids, id_idx, curr_id_type;
 	unsigned long num_certs, num_dod_certs, cert_idx;
-	int include_extra_certs = 0;
+	int include_extra_certs = 0, include_dod_certs;
 
 	CACKEY_DEBUG_PRINTF("Called.");
 
 	if (ids_found == NULL) {
 		CACKEY_DEBUG_PRINTF("Error.  ids_found is NULL");
@@ -3980,14 +3980,28 @@
 
 	if (getenv("CACKEY_NO_DOD_CERTS_ON_HW_SLOTS") != NULL) {
 		include_extra_certs = 0;
 	}
 
+#ifdef CACKEY_NO_EXTRA_CERTS
+	if (getenv("CACKEY_EXTRA_CERTS") != NULL) {
+		include_dod_certs = 1;
+	} else {
+		include_dod_certs = 0;
+	}
+#else
 	if (getenv("CACKEY_NO_EXTRA_CERTS") != NULL) {
-		num_dod_certs = 0;
+		include_dod_certs = 0;
 	} else {
+		include_dod_certs = 1;
+	}
+#endif
+
+	if (include_dod_certs) {
 		num_dod_certs = sizeof(extra_certs) / sizeof(extra_certs[0]);
+	} else {
+		num_dod_certs = 0;
 	}
 
 	if (slot->internal) {
 		num_ids = cackey_read_dod_identities(NULL, num_dod_certs);
 

Index: configure.ac
==================================================================
--- configure.ac
+++ configure.ac
@@ -151,10 +151,21 @@
 ])
 
 if ! test "${dodcertsonhwslots}" = 'no'; then
 	AC_DEFINE(CACKEY_CARD_SLOT_INCLUDE_EXTRA_CERTS, [1], [Specify that DoD certificates should be made available on hardware token slots])
 fi
+
+dnl Option to disable DoD certs entirely
+AC_ARG_ENABLE(dod-certs, AC_HELP_STRING([--disable-dod-certs], [Disable including DoD certs entirely.  The user may override this with the CACKEY_EXTRA_CERTS environment variable.]), [
+	dodcerts=$enableval
+], [
+	dodcerts=yes
+])
+
+if test "${dodcerts}" = 'no'; then
+	AC_DEFINE(CACKEY_NO_EXTRA_CERTS, [1], [Specify that DoD certificates should not be made available])
+fi
 
 dnl Set version script, to limit the scope of symbols
 DC_SETVERSIONSCRIPT(libcackey.vers, libcackey.syms)
 
 dnl Upate LDFLAGS to include setting the run-time linker path to the same as our compile-time linker