Avatar of jbla9028
Flag for United States of America asked on

User Certificate Auto Enrollment fails when certificate is to be stored in AD

I am working on auto-enrollment of PKI certificates. I got everything working but when I auto-enroll the user certificate, the certificate is not auto-enrolled when this checkbox is enabled. If I uncheck it on the template, the user gets a new certificate. I'm assuming there's a certificate somewhere in AD I might have to clear out? Any help would be appreciated.

Template Properties
Windows Server 2012Active Directory

Avatar of undefined
Last Comment
Rahul Ramachandran

8/22/2022 - Mon

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Thanks. In the article I see this:

"Note: If the CA administrator configured the templates to not duplicate certificates if one already exists in Active Directory, you will have to delete the user’s certificate in Active Directory in order for Autoenrollment to pull down a new certificate."

How do I delete the user's certificate? where does it get stored? I figured under "user mappings" but I don't see anything there.
Rahul Ramachandran

For deleting DC certificates follow the below steps

1) While logged on as a member of the local Administrators group, start the Microsoft Management console.

2) Add the Certificates MMC Snap-In.

3) Select Computer Account when prompted to select an account to manage.

In the Certificates MMC Snap-In, navigate to Personal in the left pane.

4) In the right pane, determine the domain controller certificate(s) by the template name as shown in the Certificate Templates column or select the certificate(s) by their intended purpose.

5) Delete the certificate(s) by selecting Delete on the Action menu.

6) Close the MMC Snap-In and log off.

User Certificates are stored in the below location (Local).

in Run type certmgr.msc
under personal - certificates
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.