Re: Certificate management

The usual way to distinguish between the two is to check the
certificate's Subject extension and verify to whom the certificate was
issued. If it names a computer account (often - but not always - with
a trailing "$" at the end of the hostname), then it's intended as a
machine certificate. If it names a user account, then it's intended
as a user cert.

The message that Leander wrote really meant to say "you do not need
Admin rights to import a certificate or PFX file into the user's
certificate store, but you'll need Admin rights to import a
certificate or PFX file into the machine's certificate store". Any
certificate *can* theoretically be used by either a user or computer
account - it all comes down to what certificate usage (e.g. "server
authentication", "S/MIME signature") is enabled in the certificate,
and what the applications that use the cert will do when it encounters
missing or unexpected fields.

In practice however, computer certificates usually can only be used by
the computer account because - at least for many Windows services -
the computer account to which the cert is associated in Active
Directory won't have the accesses needed by an end user. [Another
common limitation is that many - but not all - computer certificates
are enabled only for "server authentication", which is not a usage
that is ever needed/allowed/expected for user certificates.]

Hope this helps,
Mike

On Aug 27, 7:36 am, Ghealdan <Gheal...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
How do I tell the difference?

"Leander de Graaf" wrote:
Ghealdan wrote:
I have a question regarding certificate management. Do you have to be a
local admin on a Windows XP box to import an external certificate? Also,
along those same lines is once it is imported do you have to be an admin to
export it to take with you to another machine?

Depends on the use of the certificate, if only a specific user needs to
use the certificate you dont need admin rights to import/export the
certificate, computer certificates however always need to be imported
using a useraccount with administrative rights.

.

Relevant Pages

  • Re: HOL x509 Certificate problem
    ... I have Admin rights on this machine, have exited and re-entered mmc ... > add the certificate to current user store instead. ... >>the motions of importing the certificate, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Installing Certificates
    ... The user has User Rights ... only and I do not want to give them Power User or Admin Rights. ... user goes to a particular website, the browser prompts to install a ... certificate store may not be write enabled'. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Certificate management
    ... along those same lines is once it is imported do you have to be an admin to export it to take with you to another machine? ... Depends on the use of the certificate, if only a specific user needs to use the certificate you dont need admin rights to import/export the certificate, computer certificates however always need to be imported using a useraccount with administrative rights. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: problem running my program as a service with ldaps
    ... running under the localsystem account are identified on the network as the ... So try adding the certificate to the computer account in ... >> service account to run that service under, and install the certificate ... >> accessing network resources, so AD might not be the only problem you run ...
    (microsoft.public.windows.server.active_directory)
  • Re: 802.1x EAP - TLS authentication with AD Computer Account WM2003/5
    ... AD with computer account (user account not allowed for PDA) ... Computer certificate on PDA with computer account FQDN ... that the IAS always searches for a user account and not ...
    (microsoft.public.pocketpc.wireless)