Revoke or remove receivers certificates from senders computer

Certificates are deployed by Active Directory and are set to expire every 12 months.  The certificates are automatically created for each computer that a user logs into.

Our issues is this, our users log onto several different computers at 5 different locations in Florida.  When the user is sent an email from another user within our company it's a crapshoot if they'll be able to open an encrypted email because it seems the sender is using one of the many certs of the receiver.  The receiver only has one cert on the computer their logged into, thus, the user can not open the email because the sender is using one of the certs created for another computer.

Example Below:

User A logs into computer 1 and a cert is created in AD and downloaded to that computer.

User A then logs into computer 2 and again a new cert is created in AD and downloaded to that computer

User B emails User A while User A is logged into computer 1 and User A can't open encrypted email because User B's computer used Users A cert from computer 2

Hope this makes sense.

Any suggestions or help would be greatly appreciated.  Please note that we must continue to use the Microsoft Certificate system and not any 3rd party application or hardware so please don't tell use to buy something.

FSYRDirector of ITAsked:
Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
Be aware of what you are doing by revoking the certs.  Email encryption is tied to the certs - this is what you are experiencing.  Make sure to have a method in place prior to revoking these certificates (e.g. copy/paste into a document and then store in an encrypted folder or encrypted zip file).  Otherwise that data may be lost forever.  Revoking a cert works different than an expired cert - those will still decrypt after expiry just not encrypt new things, so have a chance to be migrated to a new cert.  When you revoke them they should pop out of AD after the next CRL is issued.

Alternatively, you could keep the certificates valid and just manually remove them from AD, if you have a relatively small number of affected cert users.  In ADUC highlight your domain and select View - Advanced Features.  Now when you search the user account there will be a few extra tabs, one of which is "Published Certificates" - here you can add or remove certificates that are advertised automatically in AD.

If a user installed it manually and is not connected to your AD, then they will need to just go into the CErtifificates MMC and remove it manually.  If there is a larger number of people then you could consider using a script.

A couple good articles:

More than anyone ever wanted to know about certificate revocation:
ParanormasticCryptographic EngineerCommented:
The best and generally easiest solution would be using smartcards as they are portable - however this does not meet your needs that you stated at the end.

The problem comes down to the fact that private keys are generated during the intital certificate request, and stay on the hardware that they were generated on - e.g. smartcard or in your case the workstation box.  So they don't follow the user - they are tied to the user account on the box they were requested on.

Generically speaking, the best way to handle this in your case would be to turn off autoenrollment on the email certificate templates.  If you have some users that don't use multiple boxes and some that do, you might consider making a couple new AD groups "Email Autoenrollment" and "No Email Autoenrollment" or something similar, then set read and enroll for the no autoenroll group, and read enroll and autoenroll for the autoenroll allowed group.

Then the user will need to go to http://CAServerName/certsrv and take the first option on both pages, then select the desired email template to request the certificate.

You can then open up Certificates MMC and view their Personal store and export the certificate including private key to a .pfx file.  That file can then be copied to another location to be imported into that new box instead of requesting another cert.

Note that to export the certificate it should be an encryption only certificate - no digital signatures.  If you want signing certs then just make another template and that can be done on each workstation without issue.
FSYRDirector of ITAuthor Commented:
Will revoking all certificates remove the certificates from all the workstations?  including the certificated that are stored in the Other People?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.