Is there a point to using user certificates instead of only using machine certificates?

All we need is an easy explanation of the problem, so here it is.

I’ve seen that user certificates can be stored on the user’s computer just like machine certificates would.

I understand it would be very secure if the user had placed his private key on a smart card or USB, cause then it would always be with him, like on his key-ring alongside his house and car keys. So user certificates give him the benefit of being able to log in to the network from any device by using his security token. Perhaps that’s the sole point of a user certificate? Idk.

But if you’re not using tokens then the user certificate will be installed on the user’s computer. That’s far less secure than him just using a password to get authorized to the network. He can keep the password as a memorized secret inside his head. But with certificates, he has to store it on the computer. So if someone gets access to his computer he can export the private key. Then voila, that someone can now authenticate to the network with his own device using the certificate and private key he got off someone else’s device.

tl;dr: Should you deploy user certificates if you’re not planning on using security tokens?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

TL; DR – Deploy user certificates and uncheck the allow private key to be exported option when deploying them. For added security, require users add a password to the private key.

Discussion

I’ve seen that user certificates can be stored on the user’s computer just like machine certificates would. I understand it would be very secure if the user had placed his private key on a smart card or USB, cause then it would always be with him, like on his key-ring alongside his house and car keys

If a user loses their smart card or USB stick, the certificate is compromised. It is much more likely that a user loses physical control of either of these keys, thereby compromising the key.

A USB drive has zero protection against exporting a private key. At least a smart card does not allow the private key to be exported once it has been written to the card.

But if you’re not using tokens then the user certificate will be installed on the user’s computer. That’s far less secure than him just using a password to get authorized to the network.

Depends on the password. A 47 character randomly generated password with upper, lower, symbols and numbers is going to be pretty strong. “Monkey” on the other hand…

From a math standpoint, user certificates are orders of magnitude more secure than passwords the average user will generally use. However, this depends on your password policy and user base, I suppose.

But with certificates, he has to store it on the computer. So if someone gets access to his computer he can export the private key. Then voila, that someone can now authenticate to the network with his own device using the certificate and private key he got off someone else’s device.

User certificates can be deployed in a manner that the private key is not exportable. Ensure that allow private key to be exported is unchecked.

For additional security, you can also add a password to the private key, but this lacks the convenience of automatic deploy via GPO. And, in all likelihood, you’ll need to go around to each user and do this for them with domain admin and local admin privs.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

Leave a Reply