Solved

Revoke or remove receivers certificates from senders computer

Posted on 2009-04-01
4
338 Views
Last Modified: 2012-06-21
Certificates are deployed by Active Directory and are set to expire every 12 months.  The certificates are automatically created for each computer that a user logs into.

Our issues is this, our users log onto several different computers at 5 different locations in Florida.  When the user is sent an email from another user within our company it's a crapshoot if they'll be able to open an encrypted email because it seems the sender is using one of the many certs of the receiver.  The receiver only has one cert on the computer their logged into, thus, the user can not open the email because the sender is using one of the certs created for another computer.

Example Below:

User A logs into computer 1 and a cert is created in AD and downloaded to that computer.

User A then logs into computer 2 and again a new cert is created in AD and downloaded to that computer

User B emails User A while User A is logged into computer 1 and User A can't open encrypted email because User B's computer used Users A cert from computer 2

Hope this makes sense.

Any suggestions or help would be greatly appreciated.  Please note that we must continue to use the Microsoft Certificate system and not any 3rd party application or hardware so please don't tell use to buy something.

Thanks!!!!!!!!!!
0
Comment
Question by:FSYR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24039137
The best and generally easiest solution would be using smartcards as they are portable - however this does not meet your needs that you stated at the end.

The problem comes down to the fact that private keys are generated during the intital certificate request, and stay on the hardware that they were generated on - e.g. smartcard or in your case the workstation box.  So they don't follow the user - they are tied to the user account on the box they were requested on.

Generically speaking, the best way to handle this in your case would be to turn off autoenrollment on the email certificate templates.  If you have some users that don't use multiple boxes and some that do, you might consider making a couple new AD groups "Email Autoenrollment" and "No Email Autoenrollment" or something similar, then set read and enroll for the no autoenroll group, and read enroll and autoenroll for the autoenroll allowed group.

Then the user will need to go to http://CAServerName/certsrv and take the first option on both pages, then select the desired email template to request the certificate.

You can then open up Certificates MMC and view their Personal store and export the certificate including private key to a .pfx file.  That file can then be copied to another location to be imported into that new box instead of requesting another cert.

Note that to export the certificate it should be an encryption only certificate - no digital signatures.  If you want signing certs then just make another template and that can be done on each workstation without issue.
0
 
LVL 1

Author Comment

by:FSYR
ID: 24039407
Will revoking all certificates remove the certificates from all the workstations?  including the certificated that are stored in the Other People?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24040426
Be aware of what you are doing by revoking the certs.  Email encryption is tied to the certs - this is what you are experiencing.  Make sure to have a method in place prior to revoking these certificates (e.g. copy/paste into a document and then store in an encrypted folder or encrypted zip file).  Otherwise that data may be lost forever.  Revoking a cert works different than an expired cert - those will still decrypt after expiry just not encrypt new things, so have a chance to be migrated to a new cert.  When you revoke them they should pop out of AD after the next CRL is issued.

Alternatively, you could keep the certificates valid and just manually remove them from AD, if you have a relatively small number of affected cert users.  In ADUC highlight your domain and select View - Advanced Features.  Now when you search the user account there will be a few extra tabs, one of which is "Published Certificates" - here you can add or remove certificates that are advertised automatically in AD.

If a user installed it manually and is not connected to your AD, then they will need to just go into the CErtifificates MMC and remove it manually.  If there is a larger number of people then you could consider using a script.

A couple good articles:
http://support.microsoft.com/kb/179380
http://www.tech-faq.com/implementing-public-key-infrastructure.shtml

More than anyone ever wanted to know about certificate revocation:
http://technet.microsoft.com/en-us/library/cc700843.aspx
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question