This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Based on this procedure https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll we have setup an certificate autoenrollment group policy in order to autoenroll Email Signing and Encryption certificates to AD users. this policy only issues such a certificate once at first logon (when GPO is applied first time) and then it does renew certificates about to expire.
This works quite fine, but I remakred that sometimes, some users have 2 or even 3 valid certificates, all based on different private keys but same template. These users for sure haven't enrolled a new certificate on their own.
And second, all certificates are published to user object in AD. But also here I am a bit confused, because from my knowledge these published certificates are the ones an Outlook/Exchange (op-premises) AD sender uses in order to encrypt mails to other AD recipients. Which certificate is choosen if there is more then one valid certificate, I thouhgt it would at least always go for the one with the longes expiry period from today, but not even this is the case. I have a particular user who has 3 certificates bound to his AD user object, expiry dates are:
1.01.2020
31.12.2021
10.02.2021
The only certificate the user itself has in his user certificate store is th one with expry date 10.02.2021, which is even the one with the shortest expiry period. And guess what, a senders Outlook chooses this one, which is the right one, no problem. But why this one and not another one from the 3, and where do the other 2 certificates may come from? Why have they ever been issued by our PKI?
Would be glad if someone can explain what the cause for multiple certificate issuance might be and how these are handled in which order by AD?
kind regards,
Dieter
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hello,
According to "The only certificate the user itself has in his user certificate store is the one with expiry date 10.02.2021," where do we see the other two certificates?
I think the user uses the certificate in his/her certificate store.
We can check how the other two certificates are requested.
On one domain-joined client, logon with one domain user account and open Event Viewer->Applications and Services Logs->Microsoft->Windows->CertificateServicesClient-Lifecycle-User->Operational
We can check event ID 1006.
Process Name
Account Name
Context
Action
Here is an autornrolled computer certificate after I run gpupdate /force command.
Process Name: Taskhostw.exe
Account Name: B\daisy11
Context: User
Action:Enroll
After the auto enrolle the above user certificate with User1 certificate template via GPO, I can also enroll another certificate with the same User1 certificate template manually. And here is a user certificate I requested manually with User1 template.
Process Name: mmc.exe
Account Name: B\daisy11
Context: User
Action:Enroll
Best Regards,
Fan