Community Home > Discuss > Technology > Security > Re: Can a user have a certificate or does only a m...

Security

Reply
zaza
Occasional Contributor I
zaza

Can a user have a certificate or does only a machine have a certificate?

‎07-16-2017 10:21 AM

If say you want to set up a PKI and use EAP-TLS to authenticate all users and computers.

 

A computer's certificate is stored on that computer. But how can a user have a certificate? Where is it stored? What if a user logs in from another computer, how will he provide his certificate for client authentication?

Alert a Moderator
Message 1 of 8
632 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Can a user have a certificate or does only a machine have a certificate?

‎07-16-2017 10:23 AM

There is a system cert store and a user store. Machine certs are stored in the system store and user certs are stored in the user store.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 2 of 8
629 Views
Reply
0 Kudos
zaza
Occasional Contributor I
zaza

Re: Can a user have a certificate or does only a machine have a certificate?

‎07-16-2017 10:34 AM

Alert a Moderator
Message 3 of 8
618 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Can a user have a certificate or does only a machine have a certificate?

‎07-16-2017 11:19 AM

In practice, it is worse than that...  Typically user certificates are only distributed via group policy when that user logs in successfully via a wired computer.  The user would have had to login to a wired computer to even have the certificate distributed to the user's profile before using it wirelessly.  That is why many secure environments only have wireless eap-tls with machine certificates and machine-only wireless authentication...  Having a multi-user device with wireless user certificates is a headache to provision in practice for multiple user.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Alert a Moderator
Message 4 of 8
590 Views
Reply
0 Kudos
zaza
Occasional Contributor I
zaza

Re: Can a user have a certificate or does only a machine have a certificate?

‎07-16-2017 01:59 PM

Thank you 

Alert a Moderator
Message 5 of 8
577 Views
Reply
0 Kudos
Highlighted
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Can a user have a certificate or does only a machine have a certificate?

‎07-16-2017 02:03 PM

The machine cert is unique per device. The user cert is downloaded into the user cert store after the user logs in. This can cause complications when using machine + user authentication because the first time a user authenticates, the certificate is not available until after the login process completes.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 6 of 8
575 Views
Reply
0 Kudos
zaza
Occasional Contributor I
zaza

Re: Can a user have a certificate or does only a machine have a certificate?

‎07-16-2017 02:39 PM

Alert a Moderator
Message 7 of 8
567 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Can a user have a certificate or does only a machine have a certificate?

‎07-16-2017 02:41 PM

For the network, yes. To use a certificate to log on to the machine itself, you'd need to use a smartcard.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 8 of 8
566 Views
Reply
0 Kudos
Search Airheads
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2018 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium