Security

Reply
Occasional Contributor I

Can a user have a certificate or does only a machine have a certificate?

If say you want to set up a PKI and use EAP-TLS to authenticate all users and computers.

 

A computer's certificate is stored on that computer. But how can a user have a certificate? Where is it stored? What if a user logs in from another computer, how will he provide his certificate for client authentication?

Guru Elite

Re: Can a user have a certificate or does only a machine have a certificate?

There is a system cert store and a user store. Machine certs are stored in the system store and user certs are stored in the user store.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Can a user have a certificate or does only a machine have a certificate?

Guru Elite

Re: Can a user have a certificate or does only a machine have a certificate?

In practice, it is worse than that...  Typically user certificates are only distributed via group policy when that user logs in successfully via a wired computer.  The user would have had to login to a wired computer to even have the certificate distributed to the user's profile before using it wirelessly.  That is why many secure environments only have wireless eap-tls with machine certificates and machine-only wireless authentication...  Having a multi-user device with wireless user certificates is a headache to provision in practice for multiple user.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Can a user have a certificate or does only a machine have a certificate?

Thank you 

Guru Elite

Re: Can a user have a certificate or does only a machine have a certificate?

The machine cert is unique per device. The user cert is downloaded into the user cert store after the user logs in. This can cause complications when using machine + user authentication because the first time a user authenticates, the certificate is not available until after the login process completes.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Can a user have a certificate or does only a machine have a certificate?

Guru Elite

Re: Can a user have a certificate or does only a machine have a certificate?

For the network, yes. To use a certificate to log on to the machine itself, you'd need to use a smartcard.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: