Just for clarification, we notice in our CA that in issued certificates there will often be may certs issued for a computer. They are different request numbers and serial numbers so they are individual certs that are being issued. But we see some computers that have up to 100 certificates issued for a computer that are active. The computer certs are being successfully pushed out by GP.

So the question is, is this unusual to have so many certs issued per computer? Shouldn't there be only 1 or a couple?

Thanks

Are all the certificates active (not expired)? It does sound pretty strange that the computer is getting that many certificates?

What type of certificate is it?

What is it used for?

What is special about those computers? (do they get imaged frequently?) Typically when your hardware IDs changed (like a new motherboard or CPU), multiple users log in, you may see multiple certificates being issued...

Is there an enhanced write filter enabled or some sort of deep freeze program? The certificate may be getting wiped out somehow and that's why the CA is reissuing a certificate...

Thanks.

All of these certs are active. They are regular computer certs used to authenticate computer accounts and ther are no hardware changes. We do the normal SCCM network scans but other than that everything is static. I surmise from your response that this is rather unusual.

It is. I'll reach out to one of my certificate guys and see if he knows if there is a silver bullet to your issue. Stay tuned...

Thanks.

All of these certs are active. They are regular computer certs used to authenticate computer accounts and ther are no hardware changes. We do the normal SCCM network scans but other than that everything is static. I surmise from your response that this is rather unusual.

I spoke with my CA guy and he stated that it is not normal for that many certificates to be issued to the workstation.

Are you deploying the certificates to the workstation or the user?

Also, what is your build process for building your systems? Do you capture and deploy or do you build the new systems? I am wondering if you captured a system during build process and it somehow is generating a certificate for that system multiple times?

He also is asking if you are locking down the registry via group policy or other means? Locking the registry down may cause the certificate not to be registered. Auto-enrollment will issue a certificate each time it is requested by a client. Its typically not the CA that is the problem. its ALL client

Thanks. Most of the certificates being created are attached to file servers that provide services to users. It is as if every time a client accesses a server for a service, it is causing a certificate to be generated for that server. The autoenrollment policies in Group Policy seem to be correct. Any ideas?

Hi,

As the way I see it, it is rather unusual that there are up to 100 computer certificates with the same key usage for just one computer, would you check the computer to see if there is anything special about it?

If there are any third party software installed, I suggest you disable them to see if computer certificates continues getting enrolled.

Best Regards,

Hi,

Do you have any progress at the moment?

Best Regards,

Amy