Copy a Workstation Authentication Certificate

MountyTech
MountyTech used Ask the Experts™
on
Is it possible to copy a Workstation Certificate to another workstation? The certificate will be issued from Windows 2003 to a XP client. If not what prevents someone from copiing the certificate to their computer?

Thank you,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
As far as I understand it should be no big problem to copy the certificate without the private key to another workstation. Anyway in order to use the certificate for authentication purposes you need the private key. This key is strongly protected and I believe encrypted using the machine's password so simply copying it wouldn't help, you'd also need access to the machine password. This, I believe, is protected by the Windows Data protection API which should give you reasonable assurance (http://msdn.microsoft.com/en-us/library/ms995355)
Anyway: In the end it's all only software, so: When you create a full copy of the machine (image) and deploy this to another computer this computer is indistinguishable from the original one including all certificates.
One way to prevent this is to tie the software to the hardware which can be done using TPM-chips and harddrive encryption solutions like bitlocker.
Dave HoweSoftware and Hardware Engineer

Commented:
the certificate is easy - it is just in the machine store.

the secret key may not be marked exportable, in which case you would need suitable hacking software to pull it from the datastore.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial