Dave Goldman released a new code path for OABInteg tool.

I just have finished a new code path for OABInteg that will now allow you to do a proactive scan against your active directory to see what your mail enabled objects look like when it comes to certificates. This should help you to eliminate certificates from your active directory so you can reduce your OAB’s overall size.

Currently there are three attributes that ship with Windows 2003 and Exchange 2003 that can store user certificates: userCert, userCertificate, and userSMIMECertificate.

Information on Certificates

• userCert - UserCert is a single valued attribute that stores the old Nortel style certificates used long ago with Key Management Server for Exchange (KMS).
• userCertificate - Exchange and Outlook use it to store DER encoded X.509 e-mail certificates, and Windows uses it to store the public keys for logon, EFS and other such keys.
• userSMIMECertificate - UserSMIMECertificate is used only by Exchange and Outlook for PKCS-7 encoded e-mail certificates and all certificates stored here are supposed to be usable for e-mail.

Read more at source: http://blogs.msdn.com/dgoldman/archive/2008/11/21/...g.aspx