Hi lleo,
Certificate extensions like serverAuth and clientAuth can be added as per this thread:
I know this isn’t the most elegant solution, and you have to add both at the same time but it works. I couldn’t find a way to add serverAuth to servers and clientAuth to users and endpoints)
In the /usr/share/univention-ssl/make-certificate-user.sh, which is responsible for user cert creation and renewal, we added: openssl pkcs12 -export -keypbe NONE -certpbe NONE -nomaciter -passout pass: -out bundle.pfx -inkey private.key -in cert.pem . (This defeats some cert security, however it is a self-signed cert for internal domain use only and the risk was acceptable).
The output bundle.pfx file is a cert with private key that the user can import on Windows logon. Small powershell script linked to a GPO makes this automatically.
As mentioned in the solution to this thread, certificate share is only showing accessible resources so the user see only one folder with their certificates inside.
Final notes; I have no idea how often the make-certificate-user.sh file changes and how quickly it will stop working. All is done with cool-solutions installed as per this post.
I hope this helps