Re: Active Directory User Object certificate store to personal certificate store

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 02/27/05

  • Next message: visu: "socket()" 
    Date: Sun, 27 Feb 2005 13:07:26 +1100

    Rob,

    Password protects a private key, not the certificate.

    Active Directory doesn't store private keys. The main goal of certificate
    publishing in AD is to make public key available to all other AD clients -
    that facilitates S/MIME encryption without perr key exchange, for example.
    When you're trying to utilise AD for private key storage, you're looking in
    a wrong direction.

    However, the keys and certificates are stored in the user profile - you can
    have roaming profiles that will follow the users.

    I recommend you to look into smart cards instead of "soft" certificates for
    "High security". 

    -- 
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:euu0La2GFHA.3196@TK2MSFTNGP15.phx.gbl...
> Is there a way to move AD published certs to from the Active Directory
User
> Object cert store to the Personal cert store so that these will follow a
> user around from computer to computer so they can be utilized by
> applications.  At the current time we are not looking at autoenrolling
> certificates because we want to have users create High Security
certificates
> that will require a password before the cert is used for client
> authentication.  I can see the certs in the AD User Object cert store for
> the user logged in but they are not accessable from IE, at least with my
> current knowledge.  This is where our current PKI test application is.  Is
> there a GPO setting that will make these accessable within the Personal
> store?  Is there a way to have an application directly reference the AD
User
> Object cert store?  Is ther another programatic/scripting way to utilize
> these certs?   Thanks for your guidance on this subject.
>
> Rob McShinsky
>
>
  • Next message: visu: "socket()"