Re: Computer Certificate Private Key

The only way to stop this is, as I have said repeatedly in this thread, is to upgrade the issuing CA to Enterprise Edition.
Only v2 certificate templates give you the control that you desire.
Brian

"Mr.B" <MrB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1274E9BA-D3A0-49BE-9BCF-83307AA8509C@xxxxxxxxxxxxxxxx
But by default IT IS. And I have to find out, how to prevent these.
I have auto enrollment for computer template. Server is 2003 Standard CA is
Subordinate Enterprise.

"Brian Komar" wrote:

Actually
The computer account is authenticating to the domain. *You* have decided to
export a private key and import it on a non-trusted host (based on the tone
of your response).
It is not a security breach if *you* decide to put the private key on the
offending host.
Now, you see why the key is non-exportable
Brian

"Mr.B" <MrB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6CCF2445-5EF1-4E54-8A5F-F2C14BD7346A@xxxxxxxxxxxxxxxx
> Interested.
> I have set up 802.1x. I will test it tomorrow. SO i can excepted that
> computer will be authenticated with 802.1x. So computer get in to > private
> network, but it does not authenticate to domain. But that is security
> birch.
> Problem is that I use v1 computer template, and I don’t now, how to > make
> automotive request, with option, do not export private can, or make it
> exportable….
>
>
> "Alun Jones" wrote:
>
>> "Mr.B" <MrB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:C70A8D7E-E75E-45ED-834B-D8ADB05521CE@xxxxxxxxxxxxxxxx
>> > By default, if i set up auto enrollment for computer certificate, i >> > can
>> > from
>> > computer export private key.
>> > What would happened, if i import these key to different computer.
>> > If I use different computer and i tried to authenticate, to IAS, >> > would
>> > it
>> > exempted as valid ?
>>
>> Cryptography assumes that if you have the private key, you are the
>> individual or computer identified as associated with that key.
>>
>> However, the recipient of a signed key exchange (in this case, IAS) >> might
>> note that your computer is trying to authenticate as a computer name
>> other
>> than that with which it passed NTLM authentication. In such a case, it
>> would
>> almost certainly fail the authentication.
>>
>> Alun.
>> ~~~~
>>
>>
>>


.

Relevant Pages

  • Re: Computer Certificate Private Key
    ... I have auto enrollment for computer template. ... It is not a security breach if *you* decide to put the private key on the ... If I use different computer and i tried to authenticate, to IAS, would ... However, the recipient of a signed key exchange (in this case, IAS) might ...
    (microsoft.public.security)
  • Re: Computer Certificate Private Key
    ... *You* have decided to export a private key and import it on a non-trusted host. ... It is not a security breach if *you* decide to put the private key on the offending host. ... but it does not authenticate to domain. ... However, the recipient of a signed key exchange (in this case, IAS) might ...
    (microsoft.public.security)
  • Re: X509 certificates with ssh
    ... The keytool utility does not allow you to ... extract the private key from it's Java Key Store file. ... >> can authenticate to an account I have on another system. ... I did not find a canonical way to extract a public key ...
    (comp.security.ssh)
  • Encrypting name and password
    ... I'm build a windows application where I pass the user id and password to WS ... information using the private key to authenticate the user. ... Prev by Date: ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)