We have a new PKI environment where we have auto-enrollment setup for users and computers. What we quickly noticed is that there can be many user certificates for the same user. When userX logs onto computerA, a certificate (lets say #1) is granted for the user. When userX logs onto a different computer, computerB, another certificate is granted for that user (lets say certificate #2). This repeats itself for each different server/computer that the user logs onto. In our environment this may results in some users (admins) having hundreds of user certificates being granted. Is this normal for environments that have both user and computer auto-enroll enabled? Are there are potential problems with such a scenario? Is there a limit to the number of certificates that can be issued? Either a hard limit on the database or is it just a size problem (disk size that is)? Is there a number where thing start to get "wonky"? Is there a way to tell what user certifciate is associated with what computer logon? Or do you even care about such a thing? I know that credential roaming is a potential solution to this problem, but I have been told that there are even bigger problems that credential roaming may cause.

Hi, you can re-configure the certificate template to not enroll a certificate if the user already has one. See certificate template General tab, check "Publish certificate in Active Directory" and "Do not automatically reenroll if a duplicate certificate exists in Active Directory". Can't answer your question if multiple issues are a issue. It depends how you use them. If you use it for encryption it is clearly an issue. A CA can handle thousands of certificates. So if you think about 10.000 users with 30 certificates 4k each you have 1.1 GB of data. The CA does not track from where the certificate request came from. Sorry. If you use your certificates for data or e-mail encryption make sure to configure a (or better 2) key recovery agents on the CA to keep a backup of all private keys. Good luck! Lutz

Hi, you can re-configure the certificate template to not enroll a certificate if the user already has one. See certificate template General tab, check "Publish certificate in Active Directory" and "Do not automatically reenroll if a duplicate certificate exists in Active Directory". Can't answer your question if multiple issues are a issue. It depends how you use them. If you use it for encryption it is clearly an issue. A CA can handle thousands of certificates. So if you think about 10.000 users with 30 certificates 4k each you have 1.1 GB of data. The CA does not track from where the certificate request came from. Sorry. If you use your certificates for data or e-mail encryption make sure to configure a (or better 2) key recovery agents on the CA to keep a backup of all private keys. Good luck! Lutz

I think, you should configure Credential Roaming Service. In this case certificates will be moved along the user regardless of on which computer user logs on.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I know I can publish to AD and then have the certificate template check for an existing certificate. But then you have AD bloat, as opposed to certificate bloat. Of the two, I'd rather certificate bloat for sure. Credential roaming has the same AD bloat problem. Other than encryption, which we are not using, is there another problem with duplicate certificates. I can't think of one off the top of my head, therefore the reason for asking on here.

can you explain, what you want?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

can you explain, what you want?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

can you explain, what you want? My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki I just want to know if there are any downsides or problems associated with having many duplicate user certificates. I know about the encryption problem, but we are not using certificates for encryption, so that won't affect us. I do not want to publish the certificates into AD, so I cannot use the credential roaming solution. I just want to know if there is a problem with a user having many user certificates.

can you explain, what you want? My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki I just want to know if there are any downsides or problems associated with having many duplicate user certificates. I know about the encryption problem, but we are not using certificates for encryption, so that won't affect us. I do not want to publish the certificates into AD, so I cannot use the credential roaming solution. I just want to know if there is a problem with a user having many user certificates.

> I just want to know if there are any downsides or problems associated with having many duplicate user certificates if there are too many certificates, then replication traffic (and replication delays) may significantly increase. At some point the replication may stop working: http://blogs.technet.com/b/askds/archive/2011/09/23/the-pdce-with-too-much-to-do.aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

> I just want to know if there are any downsides or problems associated with having many duplicate user certificates if there are too many certificates, then replication traffic (and replication delays) may significantly increase. At some point the replication may stop working: http://blogs.technet.com/b/askds/archive/2011/09/23/the-pdce-with-too-much-to-do.aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

> I just want to know if there are any downsides or problems associated with having many duplicate user certificates if there are too many certificates, then replication traffic (and replication delays) may significantly increase. At some point the replication may stop working: http://blogs.technet.com/b/askds/archive/2011/09/23/the-pdce-with-too-much-to-do.aspx My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki That problem was dealing with replication within Active Directory when you publish the certificates to Active Directory, which is something that I do *not* want to do. There will no be any replication if I'm not publishing the certificates to AD. My concern is whether or not there are problems with the issuing CA having too many certificates in total, or more specifically, if there are problems in having duplicate user certificates (other than for encryption, which isn't an issue in my environment).

> I just want to know if there are any downsides or problems associated with having many duplicate user certificates if there are too many certificates, then replication traffic (and replication delays) may significantly increase. At some point the replication may stop working: http://blogs.technet.com/b/askds/archive/2011/09/23/the-pdce-with-too-much-to-do.aspx My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki That problem was dealing with replication within Active Directory when you publish the certificates to Active Directory, which is something that I do *not* want to do. There will no be any replication if I'm not publishing the certificates to AD. My concern is whether or not there are problems with the issuing CA having too many certificates in total, or more specifically, if there are problems in having duplicate user certificates (other than for encryption, which isn't an issue in my environment).

> My concern is whether or not there are problems with the issuing CA having too many certificates in total No problems, except you will experience only performance/delay issues during service stop/start. During normal workload, CA database size is almost irrelevant, because CA reads database by pages. Is this your question?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

> My concern is whether or not there are problems with the issuing CA having too many certificates in total No problems, except you will experience only performance/delay issues during service stop/start. During normal workload, CA database size is almost irrelevant, because CA reads database by pages. Is this your question? My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki Yes, that more or less covers it. Thank you.

> My concern is whether or not there are problems with the issuing CA having too many certificates in total No problems, except you will experience only performance/delay issues during service stop/start. During normal workload, CA database size is almost irrelevant, because CA reads database by pages. Is this your question? My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki Yes, that more or less covers it. Thank you.