I am currently implementing an EAP/TLS WIFI implementation to replace our EAP/MSCHAP2 wifi implementation. I am using Windows Server 2008 and I've installed a certificate authority. User certificates are pushed using group policy. A wireless network policy is pushed using group policy as well. Everything works fine and connecting to wifi all works on the clients.
I did notice that the CA server creates a new user certificate for every device that logs on to the domain. So, let's assume you have 2 laptops and they both logon to the domain as the same user, they will both have a unique user certificate that is installed. Even though it all works fine and this does not cause any problems, I am really wondering what the whole idea behind this is.
I would expect that every user has 1 certificate and if a new device logs on to the domain, the same certificate will be issued. If a laptop gets stolen, it's easy to revoke the user certificate and create a new one. In the current scenario I need to figure out which certificate needs to be revoked and that feels wrong to me. People mentioned to me, that this gives more "enterprise" flexibility, however, I still don't see the point. If you want to have multiple user certificates for whatever reason (i.e. use them for different scenarios), this can easily be solved using a different sub ca and that feels like a proper solution to me. In addition to that, certificates are used to authenticate an user. If you would implement the same reasoning/logic using username/password systems (i.e. every laptop has a different password for the same user) people would think that this is very stupid.
So, I am missing the whole point of this. Can someone clarify why this is? Is it possible to implement this in a way that the CA will reissue the same certificate to every device that authenticates to the domain using the same user name?
