You could apply the same cert to different devices, but you would then not be able to uniquely distinguish them. It is not required that you use an AD account user for the Username field. That just establishes the username as part of the certificate's common name. When challenging users in a workflow using an AD authentication server, that is merely authorizing the user to be issued a cert... and that is the extent of AD's role. Subsequent connections are authenticated with the cert, and not AD at all. (in EAP-TLS use case, anyway...)