Protect certificate from exportin

e-mourad · ‎12-07-2004

Hello,

Can i export certificate to another machine and use it to connect to a VPN PIX. If yes how can i disable this without using the normal certificate password. ( I don't want to use password because the VPN client prompt for this evry time it connects.

Thanks for your help

michael.kopp · ‎12-07-2004

Hi,

the certificate MUST always be exportable, cause otherwise the PIX can`t authenticate your VPN user.

(It`s your public portion)

What you should protect is your private key.

If you use the Microsoft Keystore, there is somewhere a option (during certificate installation) to mark the key non-exportable (I`m not the MS guy so I can`t tell you the exact location)

But be aware if your key is not exportable and you have to re-install the notebook you`ll have to create a new certificate and pub/private key pair cause you can`t get the private key out of the box !!!

Hope this helps

Regards

Michael

e-mourad · ‎12-07-2004

Hi,

Thanks for reply. It's a good answer.

By this, users can't export the certificate to use it at home ?and so i don't need to protect the certificate with a password ?

Thanks

michael.kopp · ‎12-08-2004

Hi,

the user can export the certificate, but it is useless as long as they are unable to grab the corresponding private key from the Certificte store.

If you don`t want to protect your certificate against misuse (somebody steals the pc, where the certificate is stored and has the user credentials) then you don`t need to protect your private key with a password.

Please note : The password protects your private key and not the certificate, the certificate by definition has to be available for other clients to verify someones identity

Michael