07-29-2025 07:18 AM
I'm looking for a way to send the non-exportable certificate request from clients using different OS ( Windows, Linux and Mac). Then check them on CA server. After approval, the non-exportable certificate become available to client to install. Then I configure the SSL VPN authentication based on the certificate common name in SSL VPN instead of username.
The problem is I don't have any example or tools to generate non-exportable certificates for different OS users.
I have Cisco ISE 3.3 for AAA parts of the VPN connection, ASA and FTD firewalls, Microsoft Active Directory for users and groups and Microsoft CA server.
Would you please share me your idea about the non-exportable certificate generating ?
07-30-2025 02:52 AM
No need to add CA cert in client' client must accept FTD cert
MHM
07-30-2025 04:32 AM
The non-exportable part is somewhat of an honor agreement, and is a not a part of the certificate itself, but rather operating system specific.
Using your Microsoft PKI and AD, you can deploy, for example, non-exportable computer certificates to AD-joined windows machines. Windows policies are enforcing the non-exportable part.
I believe on Mac also has the concept of importing certificates and making them non-exportable if the key is generated within Secure Enclave. (according to quick google search)
On linux machines, you might be able to enforce non-exportable like behavior if the key is on the TPM.
The certificates themselves do not have the concept of being non-exportable, this is something you're enforcing at the OS and/or hardware level when either importing or generating the private keys.
So it all depends on how you're managing these endpoints.
08-01-2025 10:24 PM
Thank you very much for your replies.
I’m encountering an issue with Microsoft Active Directory Certificate Services (AD CS) Web Enrollment. The Web Enrollment feature on Windows Server 2019 relies on outdated technologies, specifically ActiveX, to issue non-exportable certificates on behalf of clients. This approach is difficult to use on modern Windows systems like Windows 10 or 11, and completely incompatible with macOS or Linux.
Has anyone dealt with this challenge—specifically, enabling macOS and Linux clients to request and receive non-exportable certificates from a Microsoft Certificate Authority? I’m looking for a modern, cross-platform solution to this problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide