Luis N
asked on
Limit use digital signature
Hi,
how can I limit the use of certificate digital signature installed in a PC with windows. I need to allow the use of certificate only for a certain web pages.
In other words, Which kind of tools I need, to setup a limit for the users can only use the certificate to authenticate in a certain web pages
The main question is that some users have a digital signature for general purposes, and I want to limit that the users can only use the certificate digital signature that are installed into the windows certificate repository, to authenticate only in a web pages included in a list.
Regards
how can I limit the use of certificate digital signature installed in a PC with windows. I need to allow the use of certificate only for a certain web pages.
In other words, Which kind of tools I need, to setup a limit for the users can only use the certificate to authenticate in a certain web pages
The main question is that some users have a digital signature for general purposes, and I want to limit that the users can only use the certificate digital signature that are installed into the windows certificate repository, to authenticate only in a web pages included in a list.
Regards
ASKER
Maybe using a third party software solutions?
Another way, I'm not sure, if a HSM can do it (But the first problem is that HSM hardware solution is too expensive)
Regards
Another way, I'm not sure, if a HSM can do it (But the first problem is that HSM hardware solution is too expensive)
Regards
Actually if you are publishing the certificates to Active Directory, we can try to leverage on GPO to enforce some form of lockdown in autoenrollment and distribution of certificates. Also using the Enterprise CA not others.
http://technet.microsoft.com/en-us/library/cc754877.aspx
I was thinking of creating a customised cert template and specifying the security permission for it as well as "Do not automatically reenroll if a duplicate certificate exists in Active Directory" can be sort of some quick restriction to user even getting the certificates.
http://technet.microsoft.com/en-us/library/cc787781(v=ws.10).aspx
But not a full proof approach as certificates in the local user profile or on the user object in Active Directory are only managed if the certificate corresponds to a certificate template in Active Directory. Foreign certificates and certificates that do not contain the template extension are not managed. This is a transparent activity that is processed asynchronously.
Adding, there are add-on management tool like Microsoft's own Certificate Lifecycle Manager which may help - yet to explore further. Just some quick links
General - http://technet.microsoft.com/en-us/library/cc708653(v=ws.10).aspx
Security practice using it - http://technet.microsoft.com/en-us/library/cc720567(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc754877.aspx
I was thinking of creating a customised cert template and specifying the security permission for it as well as "Do not automatically reenroll if a duplicate certificate exists in Active Directory" can be sort of some quick restriction to user even getting the certificates.
http://technet.microsoft.com/en-us/library/cc787781(v=ws.10).aspx
But not a full proof approach as certificates in the local user profile or on the user object in Active Directory are only managed if the certificate corresponds to a certificate template in Active Directory. Foreign certificates and certificates that do not contain the template extension are not managed. This is a transparent activity that is processed asynchronously.
Adding, there are add-on management tool like Microsoft's own Certificate Lifecycle Manager which may help - yet to explore further. Just some quick links
General - http://technet.microsoft.com/en-us/library/cc708653(v=ws.10).aspx
Security practice using it - http://technet.microsoft.com/en-us/library/cc720567(v=ws.10).aspx
On a second thought, if we have control of web server, for example IIS, the webserver can enforce what type of client certificate to use for authentication and access...some configuration to be done for one to one
http://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings/
http://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found workaround by myself
but IIRC you cannot restrict a cert to be used on specific websites only as windows selects automatically which cert from the store to send, it will only ask if there're more than one cert matching