We are using PKI in our organization. Although it has been set for Domain users to receive their certificates through Active Directly automatically, but they can also request for email encryption and signature certificates through web enrollment and the website. Now we must limit each user to have only one certificate for email encryption and one for email signature. I mean users should not have more than one certificate for each of the features. I could not find anything which help me on limiting users for their certificate requests! How can we limit users to receive one and only one certificate based on their requests?
thanks

If you're publishing the certificates to Active Directory you can enable the Do not automatically reenroll if a duplicate certificate exists in Active Directory option on the certificate template.

You canalso use anadd-on management tool like Microsoft's own Certificate Lifecycle Manager. Since you're using autoenrollment you may also want to look at Credential Roamingwhich will help solve the problem whereby autoenrollment will issue a new certificate to a user whenever they move to a different computer.

If the option " Do not Automatically reenroll if a duplicate certificate exists in Active Directory" is enabled in the certificate template, the user will not receive new certificate after the autoenroll of the first certificate which will be available in Issued Certificate.

you have to stop the web enrollment of the SMIME certificate, the certificate needs to enroll through Auto enroll.