Re: standalone CA customized certificate
- From: Sunil Virmani <SunilVirmani@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Mar 2007 17:16:05 -0700
Brain,
I am sorry because of my limited knowledge. Let me explain the architecture
of my software
My software is divided into 3 parts
Terminal Software - run on thin terminal
Management Server - run on windows 2003 server
VPC Software- run on virtual pc.
1.To connect to VPC , thin client has to run Terminal Software
2.Terminal Software has to pass serial number and processor type to Mgmt
Server.
3.Management Server will authenticate the information passed.
4.Once the mgmt server authenticates the client , it will send message to
VPC agent to open the RDP port.
Thus only thin terminal authenticated by the VPC is able to connect to the
virtual PC.
Now while passing serial number and processor type in step 2 , i want to
pass this information encrypted using the private key of machine certificate.
So now server can verify the information is sent by the right machine.
Please let me know if you have any question.
Can you suggest me some way of using certificates and type of certificates
to be used in my architecture.
Regards,
Sunil
"Brian Komar [MVP]" wrote:
In article <2D8A7466-07B7-4601-844D-3FE805F2ABE0.
@microsoft.com>, SunilVirmani@xxxxxxxxxxxxxxxxxxxxxxxxx
says...
Hi Brain,<snip>
It is regarding the following
Further I want to add serial number and processor type of my terminal
machines in the certicate.
My understanding is that when we issue a client certificate on the basis of
email address , we embed the email address in the certificate.Now each of my
client machine will be distinguished by serial number and processor type.
Should not i put the serial number and processor type in the certificate.
Please let me know if my understanding is incorrect . Further What kind of
information (instead of email address) should be in the certificate to
distinguish the two certificate.
Regards,
Sunil
You are definitely making some assumptions. Client
authentication certificates require two things:
1) The client authentication OID in the EKU or
application policy extension (or both). This states that
the certificate is for authentication purposes. In
addition, the purpose of the certificate must be for
digital signature.
2) The subject must contain a subject that is recognized
by the authenticating server. For most MS apps, the
subject name for is the User Principal Name (UPN) stored
in the subject alternate name. Alternatively, you can
use some applications to map a certificate subject name
format to a specific account. This is where you could
use email name, or any other form of distinguished name.
I have seen some custom applications where a subject
alternate name was used to look up an account (GUID in
their case) against a SQL or Oracle database.
If you are wanting to put processor type or serial
number, what application are you using/coding that would
look up this information. You are trying to mix machine
specific information into a user authentication
certificate by the looks of it.
The question comes down to: WHat application are you
trying to secure with these authentication certificates?
Brian
- Follow-Ups:
- Re: standalone CA customized certificate
- From: Brian Komar [MVP]
- Re: standalone CA customized certificate
- References:
- standalone CA customized certificate
- From: sunil
- Re: standalone CA customized certificate
- From: Brian Komar [MVP]
- Re: standalone CA customized certificate
- From: sunil
- Re: standalone CA customized certificate
- From: Brian Komar [MVP]
- Re: standalone CA customized certificate
- From: Brian Komar [MVP]
- Re: standalone CA customized certificate
- From: Sunil Virmani
- Re: standalone CA customized certificate
- From: Brian Komar [MVP]
- standalone CA customized certificate
- Prev by Date: Re: standalone CA customized certificate
- Next by Date: Re: standalone CA customized certificate
- Previous by thread: Re: standalone CA customized certificate
- Next by thread: Re: standalone CA customized certificate
- Index(es):
Relevant Pages
|
|
