Sign in with
Sign up | Sign in
Your question

Not allowing users to mark certificates as exportable

Last response: in Windows 2000/NT
Share
Anonymous
August 13, 2004 3:11:33 AM

Archived from groups: microsoft.public.win2000.security (More info?)

We are using EAP-TLS for our wireless network. And were wondering,
when a user makes a request for a certificate to authenticate they
have the option to mark their private keys as exportable (We're using
the mSOFT certification authority). This means they can move that
certificate to another machine if they want. We want to stop this from
being able to happen. When they make the request, I am the one that
has to issue the certificate, but from what I can see in the
Certificate snap-in there is no way to see if they had that option
checked. Does anyone know if it's possible and/or how to disable that
ability? or do we have to switch to a different certification
authority that supports it?
Anonymous
August 13, 2004 5:20:47 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I am not familiar with mSOFT CA, but you can do this in Microsoft CA server.
You can configure attributes of the certificate by configuring certificate
templates (certificate validity, key size, CSP, are the keys exportable,
purpose of the certificate (client authentication, digital signatures, ...).
User's certificates are then issued based on configuration set in templates.

One thing you should check is mSOFT's manual if they support this options...

Mike

"schapman" <schapman@inlandkwpp.com> wrote in message
news:j6unh05sadmmchdkvpgpivhqrocgi6k5er@4ax.com...
> We are using EAP-TLS for our wireless network. And were wondering,
> when a user makes a request for a certificate to authenticate they
> have the option to mark their private keys as exportable (We're using
> the mSOFT certification authority). This means they can move that
> certificate to another machine if they want. We want to stop this from
> being able to happen. When they make the request, I am the one that
> has to issue the certificate, but from what I can see in the
> Certificate snap-in there is no way to see if they had that option
> checked. Does anyone know if it's possible and/or how to disable that
> ability? or do we have to switch to a different certification
> authority that supports it?
!