Re: Active Directory User Object certificate store to personal certificate store

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 02/27/05

  • Next message: visu: "socket()" 
    Date: Sun, 27 Feb 2005 13:07:26 +1100

    Rob,

    Password protects a private key, not the certificate.

    Active Directory doesn't store private keys. The main goal of certificate
    publishing in AD is to make public key available to all other AD clients -
    that facilitates S/MIME encryption without perr key exchange, for example.
    When you're trying to utilise AD for private key storage, you're looking in
    a wrong direction.

    However, the keys and certificates are stored in the user profile - you can
    have roaming profiles that will follow the users.

    I recommend you to look into smart cards instead of "soft" certificates for
    "High security". 

    -- 
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:euu0La2GFHA.3196@TK2MSFTNGP15.phx.gbl...
> Is there a way to move AD published certs to from the Active Directory
User
> Object cert store to the Personal cert store so that these will follow a
> user around from computer to computer so they can be utilized by
> applications.  At the current time we are not looking at autoenrolling
> certificates because we want to have users create High Security
certificates
> that will require a password before the cert is used for client
> authentication.  I can see the certs in the AD User Object cert store for
> the user logged in but they are not accessable from IE, at least with my
> current knowledge.  This is where our current PKI test application is.  Is
> there a GPO setting that will make these accessable within the Personal
> store?  Is there a way to have an application directly reference the AD
User
> Object cert store?  Is ther another programatic/scripting way to utilize
> these certs?   Thanks for your guidance on this subject.
>
> Rob McShinsky
>
>
  • Next message: visu: "socket()"

    Relevant Pages

    • Re: Shared Certificate Store in Active Directory
      ... There is no need to store IPSEC certs in the AD for IPSEC, ... > Active Directory so you can make Certificates and their ... > Certificates rather than Kerberos? ...
      (microsoft.public.win2000.security)
    • RE: EAP-TLS Client enrollment recovery.
      ... the private keys are not restored when you ... only restore the certificates. ... store in order to extract certificates and keys from it and then putting them ...
      (microsoft.public.platformsdk.security)
    • Re: Microsoft CA not installing trusted root path in local computer store
      ... > I installed a standalone root CA, I use it to validate vpn l2tp/IPSec> conections, the problem is that when I try to install the root ... > certification path for the CA in the client machine > using the web page, it is installed in te user certificates store, and> not in the local computer certificates store. ...
      (microsoft.public.win2000.security)
    • Re: Using smartcard as certificate store
      ... It allows the user to perform secure operations like web ... we want to put the certificates we acquire when browsing ... You should still not need to store certificates from arbitrary websites ... that isn't a smartcard but is treated by CAPI as though it were one"! ...
      (microsoft.public.platformsdk.security)
    • Re: Active Directory User Object certificate store to personal certificate store
      ... The certificates that are published to AD under ... "Active Directory User Object cert store" within the Certificate MMC. ... > Password protects a private key, ... > publishing in AD is to make public key available to all other AD clients - ...
      (microsoft.public.windows.server.security)