CredUI selects wrong Smartcard certificate

Question

Hi Community,

I experience an issue, that not the certificate I would expect according to the "Filter duplicate logon certificates" Group Policy is shown by CredUI when the certificate was issued using the certreq.exe command. If I issue certificates from the same certificate templates using the Windows Autoenrollment process everything works as expected.

Example 1:

Enrollment of 3 smartcard certificates using Autoenrollment:

Auto1-->Auto2-->Auto3

Certificate Auto3 is displayed by CredUI, as it is the last to expire. Auto1 and Auto2 is filtered out due to the policy --> This is the expected behavior from my side.

Example 2:

Enrollment of 3 smartcard certificates using certreq submit:

Certreq1-->Certreq2-->Certreq3

Certificate Certreq1 is displayed by CredUI --> From my understanding this is wrong, since it's not the last to expire.

If I disable the policy and select Certreq3 to authenticate I am able to authenticate using this certificate.

Example 3:

Enrollment of 3 smartcard certificates using certreq submit and Autoenrollment:

Certreq1-->Auto1-->Certreq2

Certificate Auto1 is displayed by CredUI --> From my understanding this is wrong, since it's not the last to expire.

The issued certificates from Autoenrollment and Certreq have identical attributes and extensions. The only difference I notice is, that the order in which the extensions are displayed are different, but this shouldn't play a role in it's function.

Does anybody have an idea, why the behavior is like that or how I can find out the selection logic used by CredUI in this case ?