0

In our organization, we have a number of third-party vendors that we must interact with using client certificates. We'd like to be able to assign certificates/keys to a particular Active Directory user, so that:

  • Users don't have to know or care how to install a certificate; the certificates they need are installed for them e.g. upon login
  • We can audit expiration of these client certificates to ensure that administrators request new ones as appropriate
  • When an employee leaves the company, they don't have a copy of the key material that they can take with them and continue to access the third party

Is this something that can be done with some part of Active Directory? Is this even something we should try to do?

3bh
  • 101
  • 1
  • I don't believe there is anything built-in to AD/GPO that would permit this. Is using hardware based keys and option for you? You could probably do some of this with scripts. There is probably also 3rd party options. – Zoredache Dec 07 '18 at 23:52
  • `Is this something that can be done with some part of Active Directory?` No. `Is this even something we should try to do?`. If you are asking 'Why am I doing this?', the answer is probably no. `When an employee leaves the company, they don't have a copy of the key material that they can take with them and continue to access the third party`. Nope. That requirement is not possible and unnecessary. This is why there are certificate revocation lists. – Greg Askew Dec 08 '18 at 14:35

0 Answers0