I am looking to understand the userCertificate attribute role. The networks I work with use smart card authentication and the userCertificate attribute tends to get filled up with expired smart cards and some at times third party encryption certificates.
Two questions:
- Is there a good white / paper or deep dive discussion on the role this attribute plays in Email or other encryption in a Windows environment?
- When performing encryption based on the userCertificate attribute certificates, what is the process for choosing which certificate to use for encryption when more than one is not expired or revoked?
My assumption is that the userCertificate attribute is purely for public key encryption and is used to look up a users public key to encrypt a message. If they have more than one certificate, I am not sure how the right one gets selected.