Solved

Limit use digital signature

Posted on 2012-04-05
6
524 Views
Last Modified: 2012-06-27
Hi,

how can I limit the use of certificate digital signature installed in a PC with windows. I need to allow the use of certificate only for a certain web pages.

In other words,  Which kind of tools I need, to setup a limit for the users can only use the certificate to authenticate in a certain web pages

The main question is that some users have a digital signature for general purposes, and I want to limit that the users can only use the certificate digital signature that are installed into the windows certificate repository, to authenticate only in a web pages included in a list.

Regards
0
Comment
Question by:lnrivera
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37815132
when you import the cert into windows certificate store, you can select for which typrs this cert can be used, i.e. web site authentication, e-mail signature and such
but IIRC you cannot restrict a cert to be used on specific websites only as windows selects automatically which cert from the store to send, it will only ask if there're more than one cert matching
0
 

Author Comment

by:lnrivera
ID: 37815283
Maybe using a third party software solutions?

Another way, I'm not sure, if a HSM can do it (But the first problem is that HSM hardware solution is too expensive)

Regards
0
 
LVL 63

Expert Comment

by:btan
ID: 37815605
Actually if you are publishing the certificates to Active Directory, we can try to leverage on GPO to enforce some form of lockdown in autoenrollment and distribution of certificates. Also using the Enterprise CA not others.
http://technet.microsoft.com/en-us/library/cc754877.aspx

I was thinking of creating a customised cert template and specifying the security permission for it as well as "Do not automatically reenroll if a duplicate certificate exists in Active Directory" can be sort of some quick restriction to user even getting the certificates.
http://technet.microsoft.com/en-us/library/cc787781(v=ws.10).aspx

But not a full proof approach as certificates in the local user profile or on the user object in Active Directory are only managed if the certificate corresponds to a certificate template in Active Directory. Foreign certificates and certificates that do not contain the template extension are not managed. This is a transparent activity that is processed asynchronously.

Adding, there are add-on management tool like Microsoft's own Certificate Lifecycle Manager which may help - yet to explore further. Just some quick links

General - http://technet.microsoft.com/en-us/library/cc708653(v=ws.10).aspx
Security practice using it - http://technet.microsoft.com/en-us/library/cc720567(v=ws.10).aspx
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 63

Expert Comment

by:btan
ID: 37815615
On a second thought, if we have control of web server, for example IIS, the webserver can enforce what type of client certificate to use for authentication and access...some configuration to be done for one to one

http://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings/
0
 

Accepted Solution

by:
lnrivera earned 0 total points
ID: 37844672
Finally I filter the access looking for a fingerprint of the certificate in the IP Packets
0
 

Author Closing Comment

by:lnrivera
ID: 37859747
Found workaround by myself
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is attached iPhone screen an IOC 5 65
How do I restrict certain programs? 9 73
ransomware private key 12 64
User Account Question 6 45
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question