Revoke or remove receivers certificates from senders computer

Posted on 2009-04-01
Last Modified: 2012-06-21
Certificates are deployed by Active Directory and are set to expire every 12 months.  The certificates are automatically created for each computer that a user logs into.

Our issues is this, our users log onto several different computers at 5 different locations in Florida.  When the user is sent an email from another user within our company it's a crapshoot if they'll be able to open an encrypted email because it seems the sender is using one of the many certs of the receiver.  The receiver only has one cert on the computer their logged into, thus, the user can not open the email because the sender is using one of the certs created for another computer.

Example Below:

User A logs into computer 1 and a cert is created in AD and downloaded to that computer.

User A then logs into computer 2 and again a new cert is created in AD and downloaded to that computer

User B emails User A while User A is logged into computer 1 and User A can't open encrypted email because User B's computer used Users A cert from computer 2

Hope this makes sense.

Any suggestions or help would be greatly appreciated.  Please note that we must continue to use the Microsoft Certificate system and not any 3rd party application or hardware so please don't tell use to buy something.

Question by:FSYR
  • 2
LVL 31

Expert Comment

ID: 24039137
The best and generally easiest solution would be using smartcards as they are portable - however this does not meet your needs that you stated at the end.

The problem comes down to the fact that private keys are generated during the intital certificate request, and stay on the hardware that they were generated on - e.g. smartcard or in your case the workstation box.  So they don't follow the user - they are tied to the user account on the box they were requested on.

Generically speaking, the best way to handle this in your case would be to turn off autoenrollment on the email certificate templates.  If you have some users that don't use multiple boxes and some that do, you might consider making a couple new AD groups "Email Autoenrollment" and "No Email Autoenrollment" or something similar, then set read and enroll for the no autoenroll group, and read enroll and autoenroll for the autoenroll allowed group.

Then the user will need to go to http://CAServerName/certsrv and take the first option on both pages, then select the desired email template to request the certificate.

You can then open up Certificates MMC and view their Personal store and export the certificate including private key to a .pfx file.  That file can then be copied to another location to be imported into that new box instead of requesting another cert.

Note that to export the certificate it should be an encryption only certificate - no digital signatures.  If you want signing certs then just make another template and that can be done on each workstation without issue.

Author Comment

ID: 24039407
Will revoking all certificates remove the certificates from all the workstations?  including the certificated that are stored in the Other People?
LVL 31

Accepted Solution

Paranormastic earned 500 total points
ID: 24040426
Be aware of what you are doing by revoking the certs.  Email encryption is tied to the certs - this is what you are experiencing.  Make sure to have a method in place prior to revoking these certificates (e.g. copy/paste into a document and then store in an encrypted folder or encrypted zip file).  Otherwise that data may be lost forever.  Revoking a cert works different than an expired cert - those will still decrypt after expiry just not encrypt new things, so have a chance to be migrated to a new cert.  When you revoke them they should pop out of AD after the next CRL is issued.

Alternatively, you could keep the certificates valid and just manually remove them from AD, if you have a relatively small number of affected cert users.  In ADUC highlight your domain and select View - Advanced Features.  Now when you search the user account there will be a few extra tabs, one of which is "Published Certificates" - here you can add or remove certificates that are advertised automatically in AD.

If a user installed it manually and is not connected to your AD, then they will need to just go into the CErtifificates MMC and remove it manually.  If there is a larger number of people then you could consider using a script.

A couple good articles:

More than anyone ever wanted to know about certificate revocation:

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question