Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Revoke or remove receivers certificates from senders computer

Posted on 2009-04-01
Medium Priority
Last Modified: 2012-06-21
Certificates are deployed by Active Directory and are set to expire every 12 months.  The certificates are automatically created for each computer that a user logs into.

Our issues is this, our users log onto several different computers at 5 different locations in Florida.  When the user is sent an email from another user within our company it's a crapshoot if they'll be able to open an encrypted email because it seems the sender is using one of the many certs of the receiver.  The receiver only has one cert on the computer their logged into, thus, the user can not open the email because the sender is using one of the certs created for another computer.

Example Below:

User A logs into computer 1 and a cert is created in AD and downloaded to that computer.

User A then logs into computer 2 and again a new cert is created in AD and downloaded to that computer

User B emails User A while User A is logged into computer 1 and User A can't open encrypted email because User B's computer used Users A cert from computer 2

Hope this makes sense.

Any suggestions or help would be greatly appreciated.  Please note that we must continue to use the Microsoft Certificate system and not any 3rd party application or hardware so please don't tell use to buy something.

Question by:FSYR
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 31

Expert Comment

ID: 24039137
The best and generally easiest solution would be using smartcards as they are portable - however this does not meet your needs that you stated at the end.

The problem comes down to the fact that private keys are generated during the intital certificate request, and stay on the hardware that they were generated on - e.g. smartcard or in your case the workstation box.  So they don't follow the user - they are tied to the user account on the box they were requested on.

Generically speaking, the best way to handle this in your case would be to turn off autoenrollment on the email certificate templates.  If you have some users that don't use multiple boxes and some that do, you might consider making a couple new AD groups "Email Autoenrollment" and "No Email Autoenrollment" or something similar, then set read and enroll for the no autoenroll group, and read enroll and autoenroll for the autoenroll allowed group.

Then the user will need to go to http://CAServerName/certsrv and take the first option on both pages, then select the desired email template to request the certificate.

You can then open up Certificates MMC and view their Personal store and export the certificate including private key to a .pfx file.  That file can then be copied to another location to be imported into that new box instead of requesting another cert.

Note that to export the certificate it should be an encryption only certificate - no digital signatures.  If you want signing certs then just make another template and that can be done on each workstation without issue.

Author Comment

ID: 24039407
Will revoking all certificates remove the certificates from all the workstations?  including the certificated that are stored in the Other People?
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 24040426
Be aware of what you are doing by revoking the certs.  Email encryption is tied to the certs - this is what you are experiencing.  Make sure to have a method in place prior to revoking these certificates (e.g. copy/paste into a document and then store in an encrypted folder or encrypted zip file).  Otherwise that data may be lost forever.  Revoking a cert works different than an expired cert - those will still decrypt after expiry just not encrypt new things, so have a chance to be migrated to a new cert.  When you revoke them they should pop out of AD after the next CRL is issued.

Alternatively, you could keep the certificates valid and just manually remove them from AD, if you have a relatively small number of affected cert users.  In ADUC highlight your domain and select View - Advanced Features.  Now when you search the user account there will be a few extra tabs, one of which is "Published Certificates" - here you can add or remove certificates that are advertised automatically in AD.

If a user installed it manually and is not connected to your AD, then they will need to just go into the CErtifificates MMC and remove it manually.  If there is a larger number of people then you could consider using a script.

A couple good articles:

More than anyone ever wanted to know about certificate revocation:

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question