Issues with two valid S/MIME email encryption certificates in AD

Dieter Tontsch (GMail) 962 Reputation points
2022-05-11T15:42:35.82+00:00

I have a question regarding S/MIME encryption with AD-deployed certificates. We have our own PKI which is AD-integrated and we do deploy email signing and encryption certificates every 24 month to our users. This works fine so far, we do this since several years. From what I can tell a new certificate is generated 6 weeks before the actual one is due to expire. In the user object you can then see for ~ 6 weeks two valid certificates. Also a new certificate is issued based on the same private key I guess.
But now it comes to my issue. For the time while for an user there are two valid certificates it seems to be kind of random which one an email sender picks for encryption. Most of the time it seems to be the old one due to expire. But since the private key of both certificates is the same, a Windows Outlook can handle this and the email content is visible to the recipient, no matter if the old or new certificate was used for encryption, probably because the only thing which matters is a matching private key, right? The recipient does only see his new certificate in the user certificate store though.
But it comes to issue on mobile devices, iOS and Android. If the recipient only has e.g. his new key-pair installed on the mobile device, he cannot read an email encrypted with the old certificate, and vice-versa. Still the user can install both certificates on the mobile device, then it works again.

I actually have two questions:

  1. What's the process of picking an AD-published certificate for encryption (with Outlook) for a certain recipient while there are two certificates with validity at that very moment?
  2. does anybody know if the above issue with wrong certificate based on matching private key is a known one for mobile OS? What is best practice here? Outlook/Windows can handle this.

I guess the fact that for a while an user has two VALID certificates, one about to expire and a new one, is by design. And is it right that a recipient only needs the private key matching to the certificate used for encryption in order to be able to decrypt the email content? The sender's certificate isn't involved?

Many thanks in advance for clarification
Dieter

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,716 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.