Computer Certificate Private Key

  • Thread starter Thread starter Mr.B
  • Start date Start date
M

Mr.B

Guest
By default, if i set up auto enrollment for computer certificate, i can from
computer export private key.
What would happened, if i import these key to different computer.
If I use different computer and i tried to authenticate, to IAS, would it
exempted as valid ?
 
Re: Computer Certificate Private Key

"Mr.B" <MrB@discussions.microsoft.com> wrote in message
news:C70A8D7E-E75E-45ED-834B-D8ADB05521CE@microsoft.com...
> By default, if i set up auto enrollment for computer certificate, i can
> from
> computer export private key.
> What would happened, if i import these key to different computer.
> If I use different computer and i tried to authenticate, to IAS, would it
> exempted as valid ?

Cryptography assumes that if you have the private key, you are the
individual or computer identified as associated with that key.

However, the recipient of a signed key exchange (in this case, IAS) might
note that your computer is trying to authenticate as a computer name other
than that with which it passed NTLM authentication. In such a case, it would
almost certainly fail the authentication.

Alun.
~~~~
 
Re: Computer Certificate Private Key

Interested.
I have set up 802.1x. I will test it tomorrow. SO i can excepted that
computer will be authenticated with 802.1x. So computer get in to private
network, but it does not authenticate to domain. But that is security birch.
Problem is that I use v1 computer template, and I don’t now, how to make
automotive request, with option, do not export private can, or make it
exportable….


"Alun Jones" wrote:

> "Mr.B" <MrB@discussions.microsoft.com> wrote in message
> news:C70A8D7E-E75E-45ED-834B-D8ADB05521CE@microsoft.com...
> > By default, if i set up auto enrollment for computer certificate, i can
> > from
> > computer export private key.
> > What would happened, if i import these key to different computer.
> > If I use different computer and i tried to authenticate, to IAS, would it
> > exempted as valid ?
>
> Cryptography assumes that if you have the private key, you are the
> individual or computer identified as associated with that key.
>
> However, the recipient of a signed key exchange (in this case, IAS) might
> note that your computer is trying to authenticate as a computer name other
> than that with which it passed NTLM authentication. In such a case, it would
> almost certainly fail the authentication.
>
> Alun.
> ~~~~
>
>
>
 
Re: Computer Certificate Private Key

Actually
The computer account is authenticating to the domain. *You* have decided to
export a private key and import it on a non-trusted host (based on the tone
of your response).
It is not a security breach if *you* decide to put the private key on the
offending host.
Now, you see why the key is non-exportable
Brian

"Mr.B" <MrB@discussions.microsoft.com> wrote in message
news:6CCF2445-5EF1-4E54-8A5F-F2C14BD7346A@microsoft.com...
> Interested.
> I have set up 802.1x. I will test it tomorrow. SO i can excepted that
> computer will be authenticated with 802.1x. So computer get in to private
> network, but it does not authenticate to domain. But that is security
> birch.
> Problem is that I use v1 computer template, and I don’t now, how to make
> automotive request, with option, do not export private can, or make it
> exportable….
>
>
> "Alun Jones" wrote:
>
>> "Mr.B" <MrB@discussions.microsoft.com> wrote in message
>> news:C70A8D7E-E75E-45ED-834B-D8ADB05521CE@microsoft.com...
>> > By default, if i set up auto enrollment for computer certificate, i can
>> > from
>> > computer export private key.
>> > What would happened, if i import these key to different computer.
>> > If I use different computer and i tried to authenticate, to IAS, would
>> > it
>> > exempted as valid ?
>>
>> Cryptography assumes that if you have the private key, you are the
>> individual or computer identified as associated with that key.
>>
>> However, the recipient of a signed key exchange (in this case, IAS) might
>> note that your computer is trying to authenticate as a computer name
>> other
>> than that with which it passed NTLM authentication. In such a case, it
>> would
>> almost certainly fail the authentication.
>>
>> Alun.
>> ~~~~
>>
>>
>>
 
Re: Computer Certificate Private Key

But by default IT IS. And I have to find out, how to prevent these.
I have auto enrollment for computer template. Server is 2003 Standard CA is
Subordinate Enterprise.

"Brian Komar" wrote:

> Actually
> The computer account is authenticating to the domain. *You* have decided to
> export a private key and import it on a non-trusted host (based on the tone
> of your response).
> It is not a security breach if *you* decide to put the private key on the
> offending host.
> Now, you see why the key is non-exportable
> Brian
>
> "Mr.B" <MrB@discussions.microsoft.com> wrote in message
> news:6CCF2445-5EF1-4E54-8A5F-F2C14BD7346A@microsoft.com...
> > Interested.
> > I have set up 802.1x. I will test it tomorrow. SO i can excepted that
> > computer will be authenticated with 802.1x. So computer get in to private
> > network, but it does not authenticate to domain. But that is security
> > birch.
> > Problem is that I use v1 computer template, and I don’t now, how to make
> > automotive request, with option, do not export private can, or make it
> > exportable….
> >
> >
> > "Alun Jones" wrote:
> >
> >> "Mr.B" <MrB@discussions.microsoft.com> wrote in message
> >> news:C70A8D7E-E75E-45ED-834B-D8ADB05521CE@microsoft.com...
> >> > By default, if i set up auto enrollment for computer certificate, i can
> >> > from
> >> > computer export private key.
> >> > What would happened, if i import these key to different computer.
> >> > If I use different computer and i tried to authenticate, to IAS, would
> >> > it
> >> > exempted as valid ?
> >>
> >> Cryptography assumes that if you have the private key, you are the
> >> individual or computer identified as associated with that key.
> >>
> >> However, the recipient of a signed key exchange (in this case, IAS) might
> >> note that your computer is trying to authenticate as a computer name
> >> other
> >> than that with which it passed NTLM authentication. In such a case, it
> >> would
> >> almost certainly fail the authentication.
> >>
> >> Alun.
> >> ~~~~
> >>
> >>
> >>
>
 
Re: Computer Certificate Private Key

The only way to stop this is, as I have said repeatedly in this thread, is
to upgrade the issuing CA to Enterprise Edition.
Only v2 certificate templates give you the control that you desire.
Brian

"Mr.B" <MrB@discussions.microsoft.com> wrote in message
news:1274E9BA-D3A0-49BE-9BCF-83307AA8509C@microsoft.com...
> But by default IT IS. And I have to find out, how to prevent these.
> I have auto enrollment for computer template. Server is 2003 Standard CA
> is
> Subordinate Enterprise.
>
> "Brian Komar" wrote:
>
>> Actually
>> The computer account is authenticating to the domain. *You* have decided
>> to
>> export a private key and import it on a non-trusted host (based on the
>> tone
>> of your response).
>> It is not a security breach if *you* decide to put the private key on the
>> offending host.
>> Now, you see why the key is non-exportable
>> Brian
>>
>> "Mr.B" <MrB@discussions.microsoft.com> wrote in message
>> news:6CCF2445-5EF1-4E54-8A5F-F2C14BD7346A@microsoft.com...
>> > Interested.
>> > I have set up 802.1x. I will test it tomorrow. SO i can excepted that
>> > computer will be authenticated with 802.1x. So computer get in to
>> > private
>> > network, but it does not authenticate to domain. But that is security
>> > birch.
>> > Problem is that I use v1 computer template, and I don’t now, how to
>> > make
>> > automotive request, with option, do not export private can, or make it
>> > exportable….
>> >
>> >
>> > "Alun Jones" wrote:
>> >
>> >> "Mr.B" <MrB@discussions.microsoft.com> wrote in message
>> >> news:C70A8D7E-E75E-45ED-834B-D8ADB05521CE@microsoft.com...
>> >> > By default, if i set up auto enrollment for computer certificate, i
>> >> > can
>> >> > from
>> >> > computer export private key.
>> >> > What would happened, if i import these key to different computer.
>> >> > If I use different computer and i tried to authenticate, to IAS,
>> >> > would
>> >> > it
>> >> > exempted as valid ?
>> >>
>> >> Cryptography assumes that if you have the private key, you are the
>> >> individual or computer identified as associated with that key.
>> >>
>> >> However, the recipient of a signed key exchange (in this case, IAS)
>> >> might
>> >> note that your computer is trying to authenticate as a computer name
>> >> other
>> >> than that with which it passed NTLM authentication. In such a case, it
>> >> would
>> >> almost certainly fail the authentication.
>> >>
>> >> Alun.
>> >> ~~~~
>> >>
>> >>
>> >>
>>
 

Similar threads

onmy
Computer Security
Replies
0
Views
315
onmy
onmy
J
Using TLS certificate with Windows 2008 SMTP virtual server
Replies
0
Views
286
JonF2010
J
R
Error installing Visual Studio 2015 Shell (Integrated) - Error 0x80070490: Failed to find expected public key in certificate chain
Replies
0
Views
416
Rafael Fernandes BR
R
D
Problem with Digital Certificate in only ONE Windows machine
Replies
0
Views
183
David BenS
D
M
403.16 error : "Root certificate which is not trusted by the trust provider. (0x800b0109)"
Replies
0
Views
288
Malathi_Pai
M
Back
Top