msoft certification authority

Posted on 2004-08-16
Last Modified: 2010-04-11
We are using EAP-TLS for our wireless network. And were wondering, when a user makes a request for a certificate to authenticate they have the option to mark their private keys as exportable (We're using the mSOFT certification authority). This means they can move that certificate to another machine if they want. We want to stop this from being able to happen. When they make the request, I am the one that has to issue the certificate, but from what I can see in the MCA there is no way to see if they had that option checked. Does anyone know if it's possible and/or how to disable that ability? or do we have to switch to a different certification authority that supports it?
Question by:SeanChapman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 11823677
I've wondered how to do this before as well.  I've posted a question on a managed MSDN newsgroup and I'll shoot you any responses I get.


Author Comment

ID: 11823751
so far I've been told that I can modify the certificate template to disallow the requester from being able to mark the keys exportable. But I'm using a windows 2000 server right now and can't find how to do it. I might be switching to a 2003 server soon, so I'm hoping its easier then.

Expert Comment

ID: 11908078
Sorry, this took a while.  This was the answer I recieved from MS:

"You need to reconfigure the certificate template so that the private key  
option "Allow private key to be exported" is not specified. When that
option is specified in the template, the subject can export the key; when
it is not specified, they cannot. See Certificate Templates Help for more
information. "

Hope that helps.

Author Comment

ID: 11914034
I figured that much out, but on our windows 2000 server I havent been able to find the option or anything to modify the certificate template. The only thing I've been able to do that works, it comment out some code in the asp page that processes the submit by form option. I just commented out the part where it checks for and creates the part of the request with the keys exportable, and that seemed to work.

Accepted Solution

mpvbrao earned 500 total points
ID: 11943278

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Website and email setup 4 61
Detect Failed Logins within Event Viewer 4 50 Account Security Lockout - SCAM? 3 47
Can't access router with user and pass 10 79
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question