Scenario: a Public Key infrastructure running Microsoft services. The ROOT CA is internal to the network.
The internal network is all windows 7 workstations and need a client side cert pushed out so they can use that to authenticate to servers that are PKI aware and the apps are set for certificate authentication.
Question (1): Would it be better to issue a user or pc certificate in this scenario?
Question (2): If it is a PC cert, would each workstation need to send a CSR to the CA?
Question (3): If a PC cert, can a cert simply be extracted from the user's certificate store and imported into a non company device for use? Am I correct to say that without the private key and the password for the key, they cannot even export the cert.