cancel
Showing results for 
Search instead for 
Did you mean: 

How to match machine Cert to machine?

Highlighted
Not applicable

How to match machine Cert to machine?

We are toying with using machine certs with Pulse on IVE 7.3 R7 and have things working pretty well but, have a concern.

 

Is there a way to match the user's machine certificate to the actual machine?   Everything I've seen seems to be around verifying that the certificate is issued by a valid trusted CA, etc, but what if someone puts a valid machine certificate onto multiple machines?   We want to lock each certificate to a specific machine.  i know we can use non-exportable certs so once installed, the certificat can't be exported and re-installed on another machine but, if someone can get a copy of the orginal cert before it's installed on a machine, we don't want them to put it onto a different machine.

 

Any ideas?

9 REPLIES 9
Highlighted
Regular Contributor

Re: How to match machine Cert to machine?

If someone can get a copy of the certificate including the private key and install it then effectively the certificate is worthless as an authentication mechanism. Ideally you want the certificate to be requested by the machine directly so the private key is generated on and only ever exists on the authorized machines keystore. If you need to generate the key and csr manually then you need to ensure the key it is protected by a strong password so even someone gets a copy they need to know the password to install it.

Highlighted
Respected Contributor

Re: How to match machine Cert to machine?

As a simple check on the SA system, no, it is not possible; as mentioned elsewhere in the thread, it may be possible with multiple configuration options
Highlighted
Super Contributor

Re: How to match machine Cert to machine?

If your users have local admin rights (or better), then there's no such thing as a non-exportable certificate.  I have had to extract non-exportable certificates (because the cd in the safe was unreadable) from Windows servers before and it only takes a minute or so (at least on server 2003/2008.  I have no experience on windows server 2012).

I seem to remember seeing this type of question before in these forums, and i /think/ that the suggested answer was to use host checker (or some other executable) to return the hardware ID which could then be compared to the value stored for the user in the AD/ldap directory...with the caveat that this is only possible if the auth server is defined as type=LDAP, not 'Active Directory'





Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Highlighted
Super Contributor

Re: How to match machine Cert to machine?

Actually, you've asumed that Microsoft (at least in releases up to Server 2008) does more than simply store the certificate info in a file under C:\Users\<username>\Application Data\Microsoft\Crypto\RSA\ that is read-only and owned by the system account.   In reality, all I have to do is take ownership of the files under this directory, and then, when I run certutil, the keys are exportable for me (the owner).

 

Now, if the certificate was installed with "strong private key protection" checked, then my method won't work without that password, but since this is a personal certificate, then the user would have to enter the password to be able to use it for authentication, and therefore be able to decrypt it and (after taking ownership of the file) export it.







Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Highlighted
Super Contributor

Re: How to match machine Cert to machine?

No, it may be generated, and only be expected to be used, on a single computer....but this is windows, and with admin rights, anything is possible.  I can rename a computer in 2 minutes unless it's a member of a domain, that takes privileges not available to a local-only administrator.

I guess what I'm saying is that if you're just using one test of identity, you can be fooled.  If you require the machine to be a member of an AD domain, and check for a domain-issued machine certificate, then you can be relatively sure of the identity of the machine.







Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Highlighted
Valued Contributor

Re: How to match machine Cert to machine?

To ensure security, you will want to enforce the private key is not exportable during the enrollment of the machine certificate. This should avoid any possibility the same certificate is install on multiple devices.
Highlighted
Valued Contributor

Re: How to match machine Cert to machine?

If you can extract the certificate from the server, this would mean you are allowing key archival. This is usually only meant for certificates used to encrypt email. If you use the key usage of non repudiation, this should not allow key archival. Also, admin rights do not determine of the key is exportable as this is set by the CA during enrollment of the certificate. This would defeat the whole purpose of a key being non-exportable. Are you using a ms ca to issue certificate or a public ca?

In regards to host checker, you could use host checker to validate the MAC address or hardware if, but these can be easily duplicated as well.

Highlighted
Valued Contributor

Re: How to match machine Cert to machine?

If this is the case, I believe the only other option I can think is use host checker to validate the MAC address.

I will see if I can find any other options
Highlighted
Contributor

Re: How to match machine Cert to machine?

Not so sure I understand how and why this wuld work. So you are saying User A can copy the machine cert from Computer B and install it and use it on Computer A? Does make any security sense. The computer cert is generated on that computer and can only be used by that computer. IVE would reject it coming from another computer when it compares the the it with its cert from that computer. Now I can imagine that I am not understanding at all what is going on here, so that being the case, tomorrow I will look for the corrections to my mis or understandingSmiley Happy

Any successfully try this and succeeded?





[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]