Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Active Directory User Object certificate store to personal certificate store

4,626 views
Skip to first unread message

Rob McShinsky

unread,
Feb 25, 2005, 1:19:26 PM2/25/05
to
Is there a way to move AD published certs to from the Active Directory User
Object cert store to the Personal cert store so that these will follow a
user around from computer to computer so they can be utilized by
applications. At the current time we are not looking at autoenrolling
certificates because we want to have users create High Security certificates
that will require a password before the cert is used for client
authentication. I can see the certs in the AD User Object cert store for
the user logged in but they are not accessable from IE, at least with my
current knowledge. This is where our current PKI test application is. Is
there a GPO setting that will make these accessable within the Personal
store? Is there a way to have an application directly reference the AD User
Object cert store? Is ther another programatic/scripting way to utilize
these certs? Thanks for your guidance on this subject.

Rob McShinsky


S. Pidgorny <MVP>

unread,
Feb 26, 2005, 9:07:26 PM2/26/05
to
Rob,

Password protects a private key, not the certificate.

Active Directory doesn't store private keys. The main goal of certificate
publishing in AD is to make public key available to all other AD clients -
that facilitates S/MIME encryption without perr key exchange, for example.
When you're trying to utilise AD for private key storage, you're looking in
a wrong direction.

However, the keys and certificates are stored in the user profile - you can
have roaming profiles that will follow the users.

I recommend you to look into smart cards instead of "soft" certificates for
"High security".

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Rob McShinsky" <Li...@mcshinsky.com> wrote in message
news:euu0La2G...@TK2MSFTNGP15.phx.gbl...

Rob McShinsky

unread,
Feb 28, 2005, 9:16:29 AM2/28/05
to
So let me get this right. The certificates that are published to AD under
the "Published Certificates" tab in AD users and computers, are not able to
be used by applications? These are the certificates that show up in the
"Active Directory User Object cert store" within the Certificate MMC.

Rob


"S. Pidgorny <MVP>" <slav...@yahoo.com> wrote in message
news:OU1EgEHH...@TK2MSFTNGP15.phx.gbl...

S. Pidgorny <MVP>

unread,
Mar 2, 2005, 4:29:16 AM3/2/05
to
Applications can use the certificates that are stored in AD.
Applications cannot use private keys associated with the certificates
because those are not in the AD.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Rob McShinsky" <Li...@mcshinsky.com> wrote in message

news:e4OgaAaH...@TK2MSFTNGP10.phx.gbl...

bam4ana

unread,
Jun 18, 2010, 8:44:15 AM6/18/10
to
Hello Rob,

Have you solved the problem with AD certificate mapping?
I've tried to map the certificate (.der) for a specific user, but I cannot see
the certificate in the user Personal store and not in the Active Directory
User
Object.
The installation procedure was done using this link:
http://technet.microsoft.com/en-us/library/cc736781%28WS.10%29.aspx


Can you tell me please what I am doing wrong?
Thank you!
0 new messages