We have found the solution above as only a temporary fix. We have this problem on DOD builds of Vista ENT SP2 and XP SP3. 1. If users outside the domain send one of the "bad" certificates the problem starts over for the recipient. 2. If a user in your domain has an old email or contact with the Entrust certificate and forwards or replies it you will again have the "bad" certificates. 3. This fix only works for the currently logged in user profile, so if another profile on the machine has the "bad" certificates you are back where you started. It still resides on the EXCH server in the emails and contacts. 4. We still have commercial web sites that need these certificates to work properly so now what? The real fix is for the always behind the times tech DOD to fix their certificate.