trojan81
asked on
microsoft certificate services
Hello Experts,
Scenario: a Public Key infrastructure running Microsoft services. The ROOT CA is internal to the network.
The internal network is all windows 7 workstations and need a client side cert pushed out so they can use that to authenticate to servers that are PKI aware and the apps are set for certificate authentication.
Question (1): Would it be better to issue a user or pc certificate in this scenario?
Question (2): If it is a PC cert, would each workstation need to send a CSR to the CA?
Question (3): If a PC cert, can a cert simply be extracted from the user's certificate store and imported into a non company device for use? Am I correct to say that without the private key and the password for the key, they cannot even export the cert.
Scenario: a Public Key infrastructure running Microsoft services. The ROOT CA is internal to the network.
The internal network is all windows 7 workstations and need a client side cert pushed out so they can use that to authenticate to servers that are PKI aware and the apps are set for certificate authentication.
Question (1): Would it be better to issue a user or pc certificate in this scenario?
Question (2): If it is a PC cert, would each workstation need to send a CSR to the CA?
Question (3): If a PC cert, can a cert simply be extracted from the user's certificate store and imported into a non company device for use? Am I correct to say that without the private key and the password for the key, they cannot even export the cert.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you for responding. I want to now focus on the exporting of the cert. If I enroll for a computer cert, you say that I have the option to make the key NON exportable? If it is non exportable, then I won't need to secure it with a password, is that correct?
Would it be the Issuing CA's job to make the CERT non exportable or will it be the client?
Lastly, if the cert is exportable but the key is not, would a malicious user be able to install and use the cert?