scepclient newdccert and related commands store the certificate in the SYSTEM context. The private key is stored in the current user's context, though.
Depending on how the certificate is requested (through the script running in SYSTEM context anyway; by a local admin in a debugging scenario), this can have unintended consequences:
Security of the private key might theoretically be lower, as the user logging in to the DC can access the private key, even if he is not a local admin (=Domain Admin). It is very unlikely that this results in an escalation of privileges: This applies only to the original user who requested the key and this user must log on to the DC, which by default requires the Domain Admin membership anyway.
When the user's profile is deleted, the private key can also be deleted. There might be more cases where SYSTEM cannot use the certificate + private key anymore.
scepclient newdccertand related commands store the certificate in the SYSTEM context. The private key is stored in the current user's context, though.Depending on how the certificate is requested (through the script running in SYSTEM context anyway; by a local admin in a debugging scenario), this can have unintended consequences: