In our organization, we have a number of third-party vendors that we must interact with using client certificates. We'd like to be able to assign certificates/keys to a particular Active Directory user, so that:
- Users don't have to know or care how to install a certificate; the certificates they need are installed for them e.g. upon login
- We can audit expiration of these client certificates to ensure that administrators request new ones as appropriate
- When an employee leaves the company, they don't have a copy of the key material that they can take with them and continue to access the third party
Is this something that can be done with some part of Active Directory? Is this even something we should try to do?