Gregg O’Brien is a Microsoft Premier Field Engineer from Canada. In this post he talks about the ‘certificate explosion’ phenomenon and suggests a way to mitigate it.
We live in some very exciting times – we have so many devices to choose from: desktops, laptops, tablets, hybrids/convertibles, ultrabooks, netbooks and smartphones. Each of these devices offer their own unique benefits and features, so much so that it’s not uncommon to find people carrying 2 or 3 devices now!
As with all super cool technology though, IT pros will always find some challenge waiting at the bottom of that pile of coolness. In the case of multiple devices in an enterprise, a common problem is enrollment of certificates. Not so much a problem of acquiring certificates, but the problem of users acquiring too many certificates.
A Microsoft Active Directory Certificate Services infrastructure on Windows Server 2008/2012 is implemented with auto-enrollment capabilities. Users with accounts in Active Directory login to the domain and the auto-enrollment policy enrolls the user for a certificate tied to their account. The certificate is downloaded from the certificate authority and is stored in the user’s certificate store on the local computer. So far so good….
Now for the ‘wrench in the gears’: the same user logs into another computer with the same user account and because the certificate store tied to that user account is empty on the second computer, the user receives a new certificate with a different private key. This behavior repeats on every computer the user logs on to. At first this might not seem like such a big deal. But this actually presents a few potential issues:
So what can we do about this? Well, the good news is, unlike most complex problems in life this one can be fixed by checking a few check boxes:
Now when users enroll for a certificate, the client will first check it see if there is a certificate in Active Directory. If there is, rather than issuing a new certificate it will reuse the certificate that has already been issued. Another technical challenge vanquished!
Posted by Arvind Shyamsundar, MSPFE Editor.
Thanks for this article!
Stupidly we overlooked the setting to avoid multiple certificates and now we have the problem that several users have more than 1 certificate that is published in AD for email encryption.
What is the best way to cleanup? Check what certificate will be used as default one and delete the other?
Is it surely that the default certificate will be used everytime a user send an encrypted mail?
What is the best practise?
Thank you very much!
@toasti - best to get someone in or open a case with Microsoft to evaluate it, there are lots of different components to possible solutions. They involve complexities like credential roaming, roaming profiles, certificate distribution, key storage location, and more. You may have different "default" certificates on different devices.
Thanks Alan for your help.
I see, not so easy but I didn't thought it will.
The checkbox as described above is set since yesterday, is it a possibility just to wait until they expire and then there's only one valid certificate in the store due to the setting to do not enroll multiple certs?
But as I understand, I still must care of that the user has all his old private keys on the machine to read oly emails, right?
At the moment we do not use roaming profiles and credential roaming, but credential roaming sounds like the one we need.
Hi, I followed the exact same steps as above but still when a user is logging into multiple computers, it is generating individual certificate for each computer. Please help
Hi all, Our CA server was configured to avoid user enroll for multiple certificate and to archive users' encrypted private key in server ("Archive subject's encryption private key" in Request Handling tab). Users have to set password to protect their private
key stored in local computer. Our problem is how to protect Users' certificate( signatures) however they lost their AD account. This mean, when Attacker know AD account of an user, attacker could log on user's computer, delete user's certificate in local computer
(password protected) then request a new certificate. we want to configure CA server to required attacker provide password which user set at the first time request certificate for each time re-request certificate. Please help!
Assuming this also requires credential roaming? As in out environment this does not work.
Yes and no. For this to work with users using lots of computers, you'll need to ensure the private key for the "one" certificate are stored on each computer the users use. Which means, in general:
-credential roaming, or
are needed to keep that private key material consistent across hosts.
"For this to work with users using lots of computers, you'll need to ensure the private key for the "one" certificate are stored on each computer the users use. Which means, in general:
-credential roaming, or
are needed to keep that private key material consistent across hosts."
This article is badly incomplete without telling this tiny little bit missing part of the story to the readers!
Attention to everybody out there reading this article!
Will this setting prevent users from re-enrolling after their certificate has expired?
Won't an expired certificate remain in Active Directory and thus prevent the user from being able to renew?