SafeGuard Enterprise User certificate replacement on smart cards and tokens

  • Article ID: 113177
  • Updated: 29 Mar 2016

How to automatically exchange an AD imported certificate for a user.

Known to apply to the following Sophos product(s) and version(s)
SafeGuard Management Center version 6.0 and above

What To Do

SafeGuard Enterprise provides a tailor-made solution that allows the exchange or swap of user certificates and P12 files synchronously in the Microsoft AD, the SafeGuard Enterprise DB, and on the SafeGuard Enterprise client machine.

This means that a user can still only have one certificate at any given point in time, but a synchronized sequence of events allows the exchange of the user certificate and P12 file in one consolidated action. 

To change a user’s certificate for token logon:

  1. In the SafeGuard Management Center, click Users & Computers.
  2. Plug the token into the USB interface. SafeGuard Enterprise reads in the token.
  3. Select the user for whom you want to change the certificate, and open the Certificate tab (located in the work area on the right-hand side).
  4. In the SafeGuard Management Center toolbar, click the 'Assign a certificate from a token icon'.
  5. Select the relevant certificate and enter the token's PIN.
  6. Click OK.
  7. Provide the user with the new token.

The certificate is assigned to the user as a standby certificate. This is indicated by a tick in the Standby column of the user’s Certificates tab.

After that synchronization between the endpoint computer and the SafeGuard Enterprise Server. The status dialog in the SafeGuard Enterprise System Tray Icon will now indicate
that the endpoint computer is 'Ready for certificate change'.

The user now has to initiate a certificate change on the endpoint computer.

To change the certificate on the client computer:

  1. Log on at the Power-on Authentication with the old token without automatic logon to
  2. Log on to Windows with the new token.

The new token is valid for POA logon. The old token is no longer valid for logon.

After the user has changed the certificate on the endpoint computer, the certificate is also renewed on the SafeGuard Enterprise Server during the next synchronization. This removes the old token from the user’s Certificates tab in the SafeGuard Management Center. The new token becomes the standard token for the user.

In the SafeGuard Management Center, both certificates can be deleted separately. If only a standby certificate is available, the next certificate is assigned as the standard certificate.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent