5 Multiple credential handling

5.1 Users with multiple DNs

Users who have multiple credentials, each with different DNs but a common UPN, will be have their requests aggregated into a single account. The resultant derived credential will contain details from the UPN as stored in LDAP. This means that a user may get a different DN in their derived certificate than the one in the certificate they present for authentication.

5.2 Users with multiple devices

It is possible for a user to request and collect multiple sets of derived credentials.

Collecting multiple derived credentials to a Windows PC will result in the creation of multiple virtual smart cards, one for each set of credentials.

It is not possible to collect multiple sets of credentials to a mobile device. In this instance, the collection of the second set of credentials will cancel and replace the existing set of credentials. It is not possible to collect credentials to a mobile device that currently holds the derived credentials for another person.

5.3 Archived private key handling

It is possible to share a certificate between multiple devices. This is useful for encryption and decryption purposes.

To achieve this, ensure that a common certificate policy with an archived private key is available to all derived credential profiles. Set this certificate to Use Existing:

The first credential issued with this certificate policy will create a new certificate with a new private key. All subsequent issuances will recover that private key and use that instead of creating a new one.

Note: Only certificates initially issued by the SSRP system can be recovered by the SSRP system.