Solved

Revoke or remove receivers certificates from senders computer

Posted on 2009-04-01
4
331 Views
Last Modified: 2012-06-21
Certificates are deployed by Active Directory and are set to expire every 12 months.  The certificates are automatically created for each computer that a user logs into.

Our issues is this, our users log onto several different computers at 5 different locations in Florida.  When the user is sent an email from another user within our company it's a crapshoot if they'll be able to open an encrypted email because it seems the sender is using one of the many certs of the receiver.  The receiver only has one cert on the computer their logged into, thus, the user can not open the email because the sender is using one of the certs created for another computer.

Example Below:

User A logs into computer 1 and a cert is created in AD and downloaded to that computer.

User A then logs into computer 2 and again a new cert is created in AD and downloaded to that computer

User B emails User A while User A is logged into computer 1 and User A can't open encrypted email because User B's computer used Users A cert from computer 2

Hope this makes sense.

Any suggestions or help would be greatly appreciated.  Please note that we must continue to use the Microsoft Certificate system and not any 3rd party application or hardware so please don't tell use to buy something.

Thanks!!!!!!!!!!
0
Comment
Question by:FSYR
  • 2
4 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24039137
The best and generally easiest solution would be using smartcards as they are portable - however this does not meet your needs that you stated at the end.

The problem comes down to the fact that private keys are generated during the intital certificate request, and stay on the hardware that they were generated on - e.g. smartcard or in your case the workstation box.  So they don't follow the user - they are tied to the user account on the box they were requested on.

Generically speaking, the best way to handle this in your case would be to turn off autoenrollment on the email certificate templates.  If you have some users that don't use multiple boxes and some that do, you might consider making a couple new AD groups "Email Autoenrollment" and "No Email Autoenrollment" or something similar, then set read and enroll for the no autoenroll group, and read enroll and autoenroll for the autoenroll allowed group.

Then the user will need to go to http://CAServerName/certsrv and take the first option on both pages, then select the desired email template to request the certificate.

You can then open up Certificates MMC and view their Personal store and export the certificate including private key to a .pfx file.  That file can then be copied to another location to be imported into that new box instead of requesting another cert.

Note that to export the certificate it should be an encryption only certificate - no digital signatures.  If you want signing certs then just make another template and that can be done on each workstation without issue.
0
 
LVL 1

Author Comment

by:FSYR
ID: 24039407
Will revoking all certificates remove the certificates from all the workstations?  including the certificated that are stored in the Other People?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24040426
Be aware of what you are doing by revoking the certs.  Email encryption is tied to the certs - this is what you are experiencing.  Make sure to have a method in place prior to revoking these certificates (e.g. copy/paste into a document and then store in an encrypted folder or encrypted zip file).  Otherwise that data may be lost forever.  Revoking a cert works different than an expired cert - those will still decrypt after expiry just not encrypt new things, so have a chance to be migrated to a new cert.  When you revoke them they should pop out of AD after the next CRL is issued.

Alternatively, you could keep the certificates valid and just manually remove them from AD, if you have a relatively small number of affected cert users.  In ADUC highlight your domain and select View - Advanced Features.  Now when you search the user account there will be a few extra tabs, one of which is "Published Certificates" - here you can add or remove certificates that are advertised automatically in AD.

If a user installed it manually and is not connected to your AD, then they will need to just go into the CErtifificates MMC and remove it manually.  If there is a larger number of people then you could consider using a script.

A couple good articles:
http://support.microsoft.com/kb/179380
http://www.tech-faq.com/implementing-public-key-infrastructure.shtml

More than anyone ever wanted to know about certificate revocation:
http://technet.microsoft.com/en-us/library/cc700843.aspx
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates‚Ķ

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now