none
Auto-Enrolled (GPO) Email Encryption Certificates - multiple and why RRS feed

  • Question

  • Based on this procedure https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll we have setup an certificate autoenrollment group policy in order to autoenroll Email Signing and Encryption certificates to AD users. this policy only issues such a certificate once at first logon (when GPO is applied first time) and then it does renew certificates about to expire.

    This works quite fine, but I remakred that sometimes, some users have 2 or even 3 valid certificates, all based on different private keys but same template. These users  for sure haven't enrolled a new certificate on their own. 

    And second, all certificates are published to user object in AD. But also here I am a bit confused, because from my knowledge these published certificates are the ones an Outlook/Exchange (op-premises) AD sender uses in order to encrypt mails to other AD recipients. Which certificate is choosen if there is more then one valid certificate, I thouhgt it would at least always go for the one with the longes expiry period from today, but not even this is the case. I have a particular user who has 3 certificates bound to his AD user object, expiry dates are:

    • 1.01.2020
    • 31.12.2021
    • 10.02.2021

    The only certificate the user itself has in his user certificate store is th one with expry date 10.02.2021, which is even the one with the shortest expiry period. And guess what, a senders Outlook chooses this one, which is the right one, no problem. But why this one and not another one from the 3, and where do the other 2 certificates may come from? Why have they ever been issued by our PKI?

    Would be glad if someone can explain what the cause for multiple certificate issuance might be and how these are handled in which order by AD?

    kind regards,

    Dieter

    Wednesday, February 12, 2020 3:05 PM

Answers

  • Hello,
    Thank you for posting in our TechNet forum.

    According to "The only certificate the user itself has in his user certificate store is the one with expiry date 10.02.2021," where do we see the other two certificates?

    I think the user uses the certificate in his/her certificate store.


    We can check how the other two certificates are requested.

    On one domain-joined client, logon with one domain user account and open Event Viewer->Applications and Services Logs->Microsoft->Windows->CertificateServicesClient-Lifecycle-User->Operational

    We can check event ID 1006.
    Process Name
    Account Name
    Context
    Action


    Here is an autornrolled computer certificate after I run gpupdate /force command.

    Process Name: Taskhostw.exe
    Account Name: B\daisy11
    Context: User
    Action:Enroll



    After the auto enrolle the above user certificate with User1 certificate template via GPO, I can also enroll another certificate with the same User1 certificate template manually. And here is a user certificate I requested manually with User1 template.

    Process Name: mmc.exe
    Account Name: B\daisy11
    Context: User
    Action:Enroll






    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 13, 2020 4:27 AM
    Moderator

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    According to "The only certificate the user itself has in his user certificate store is the one with expiry date 10.02.2021," where do we see the other two certificates?

    I think the user uses the certificate in his/her certificate store.


    We can check how the other two certificates are requested.

    On one domain-joined client, logon with one domain user account and open Event Viewer->Applications and Services Logs->Microsoft->Windows->CertificateServicesClient-Lifecycle-User->Operational

    We can check event ID 1006.
    Process Name
    Account Name
    Context
    Action


    Here is an autornrolled computer certificate after I run gpupdate /force command.

    Process Name: Taskhostw.exe
    Account Name: B\daisy11
    Context: User
    Action:Enroll



    After the auto enrolle the above user certificate with User1 certificate template via GPO, I can also enroll another certificate with the same User1 certificate template manually. And here is a user certificate I requested manually with User1 template.

    Process Name: mmc.exe
    Account Name: B\daisy11
    Context: User
    Action:Enroll






    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 13, 2020 4:27 AM
    Moderator
  • Thank you, I will check the EventLog for ID 1006 and will post my findings.

    Re. 

    According to "The only certificate the user itself has in his user certificate store is the one with expiry date 10.02.2021," where do we see the other two certificates?

    I think the user uses the certificate in his/her certificate store.

    The other two certificates are listed in the user's AD object under Published Certificates and also they can be found on our PKI under Issued certificates. Obviously that the user uses the certificate from his certificate store, basically he rather uses his private key. But my question was, how it is determined which certificate, out of the three, other users use when they send an encrypted message to this user. I am talking about "internal" communicatoin with Outlook within the same AD-Infrastrukture. In this case, a sender does not need to have the recipients public certificate available in order to send him an encrypted message, it will be automatically retrieved from AD once he sends an encrypted message to such a recipient. And here I do not understand the procedure if for such a recipient user óbject in AD are mapped more then one valid certificates?

    Also I have revoked the two "wrong/additoinal/obsolte" certificates from PKI, and even after 24h still the two certificates in charge are in place at user's AD object.

    As you can see here, both certificates where revoked:

    But they are still shown the next day in Published Certificates in the user's AD object, and bieside this, they aren't even makred as revoked:

    I don't understand.

    cheers, Dieter

    Thursday, February 13, 2020 7:50 AM
  • Thanks, can I see somewhere on the PKI server when and how a certain certificate was issued or requested? Because my user in charge has no Event ID 1006 from that time. I hope I can see in PKI Server Event Log what happend to these certificates.
    Thursday, February 13, 2020 8:05 AM
  • Hi,
    Sorry, after my research, currently, I can not find somewhere on the PKI server when and how a certain certificate was issued or requested.

    But we can remove the certificates we do not want to from AD user Properties.



    If we want to delete the same certificate on different location (such as Published Certificates tab of AD user Properties, user personal store or CA server), we need to delete it from different locations respectively.


    User private is stored in user profile. If other two certificates are not in user personal store, maybe the corresponding private key are not in the user profile.

    C:\Users\Username\AppData\Roaming\Microsoft\Crypto\Keys



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 14, 2020 4:36 AM
    Moderator