Thanks for posting in Microsoft TechNet forums.
An user roam certificates is as an attribute of this object.
Credential roaming is triggered any time a private key or certificate in the user's local certificate store changes,so I don't think it is nessary to manage them in the AD.However,we can do some management operations in the AD by command line,for example,we can delete roaming credentials from Active Directory.
I need to do further research to provide you more detail answer.Thanks for your understanding and efforts.
For more information,please refer to the link below:
As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.