5 Multiple credential handling
5.1 Users with multiple DNs
Users who have multiple credentials, each with different DNs but a common UPN, will be have their requests aggregated into a single account. The resultant derived credential will contain details from the UPN as stored in LDAP. This means that a user may get a different DN in their derived certificate than the one in the certificate they present for authentication.
5.2 Users with multiple devices
It is possible for a user to request and collect multiple sets of derived credentials.
Collecting multiple derived credentials to a Windows PC will result in the creation of multiple virtual smart cards, one for each set of credentials.
It is not possible to collect multiple sets of credentials to a mobile device. In this instance, the collection of the second set of credentials will cancel and replace the existing set of credentials. It is not possible to collect credentials to a mobile device that currently holds the derived credentials for another person.
5.3 Archived private key handling
It is possible to share a certificate between multiple devices. This is useful for encryption and decryption purposes.
To achieve this, ensure that a common certificate policy with an archived private key is available to all derived credential profiles. Set this certificate to Use Existing:
The first credential issued with this certificate policy will create a new certificate with a new private key. All subsequent issuances will recover that private key and use that instead of creating a new one.
Note: Only certificates initially issued by the SSRP system can be recovered by the SSRP system.