We are transitioning to a new internal PKI. During the initial phases we have identified that when two machine authentication certificates it sometimes chooses the certificate from the old PKI. Some investigation revealed that the machines that were using the old PKI cert seem to have renewed certs with a newer date than the cert issued from the new PKI. My question is how does windows 7 and XP (seem to be working the same) choose which cert to use when there are two potential certitrficates? Is it simply by the one with the newest issued date? We have ruled out the expiry date because the old PKI exires before the new PKI certs even on renewed certs. Note: We are using machine certificates to authenticate devices (802.1x) Thanks, Dave