Not allowing users to mark certificates as exportable

Archived from groups: microsoft.public.win2000.security (More info?)

We are using EAP-TLS for our wireless network. And were wondering,
when a user makes a request for a certificate to authenticate they
have the option to mark their private keys as exportable (We're using
the mSOFT certification authority). This means they can move that
certificate to another machine if they want. We want to stop this from
being able to happen. When they make the request, I am the one that
has to issue the certificate, but from what I can see in the
Certificate snap-in there is no way to see if they had that option
checked. Does anyone know if it's possible and/or how to disable that
ability? or do we have to switch to a different certification
authority that supports it?
1 answer Last reply
More about allowing users mark certificates exportable
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    I am not familiar with mSOFT CA, but you can do this in Microsoft CA server.
    You can configure attributes of the certificate by configuring certificate
    templates (certificate validity, key size, CSP, are the keys exportable,
    purpose of the certificate (client authentication, digital signatures, ...).
    User's certificates are then issued based on configuration set in templates.

    One thing you should check is mSOFT's manual if they support this options...

    Mike

    "schapman" <schapman@inlandkwpp.com> wrote in message
    news:j6unh05sadmmchdkvpgpivhqrocgi6k5er@4ax.com...
    > We are using EAP-TLS for our wireless network. And were wondering,
    > when a user makes a request for a certificate to authenticate they
    > have the option to mark their private keys as exportable (We're using
    > the mSOFT certification authority). This means they can move that
    > certificate to another machine if they want. We want to stop this from
    > being able to happen. When they make the request, I am the one that
    > has to issue the certificate, but from what I can see in the
    > Certificate snap-in there is no way to see if they had that option
    > checked. Does anyone know if it's possible and/or how to disable that
    > ability? or do we have to switch to a different certification
    > authority that supports it?
Ask a new question

Read More

Wireless Network Microsoft Certificate Windows