CA: Certificate User for VPN

Santyuste

8/24/24, 8:35 AM

From a subordinate Enterprise CA I want to generate a user certificate that serves as an authentication method for VPN connections. I want to install this certificate with autoenroll on the domain users with a GPO. There is an option in the certificate to prevent users from exporting the private key of this certificate. Is it more secure if I configure the certificate with this option, will it have no impact?

1 + 0

certificate

pki

certificate-authority

ad-certificate-services

windows-server-2012-r2

Score:0

Server

Greg Askew

8/24/24, 8:58 AM

It is not "more secure". There are free tools to export the private key. This means that the certificate can be emailed to anyone and they can use it from anywhere.

This is why smart cards exist. They provide non-repudiation by disallowing export and controlling access to the certificate secrets. A TPM can also function as a virtual smart card.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: CA: Certificate User for VPN

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.