Announcement

Collapse
No announcement yet.

2003 CA create non exportable PFX

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2003 CA create non exportable PFX

    This may seem a bit strange, but here is what I am looking to do. I am planning to use a WEB/SSL VPN to secure a business web app. For security, I will be using certificates to authenticate the WEBVPN user. This may be a somewhat cheesy way, but I am using MS CA on server 2003, and IAS for authentication control. The remote users will be domain members only for certificate/IAS purposes. What I need to do is to create there user certificates, and be able to email them the .pfx files. The problem is, that I cannot figure out how to get the certificate with the private key, while marking the public key non exportable. I know I can just have a workstation, request the cert for each user, and export it, but to make that work, I have to have the keys marked exportable in my CA, which is what I am very much needing to avoid. How can I go about this so that I(not the end user since they will have NO access to my CA server), can create there certificate, which will be non exportable, and still get the private key/PFX file to be able to send to them to install?

  • #2
    Re: 2003 CA create non exportable PFX

    the user need the private and public key.
    The public key is always exportable, the private isn't (although it can be done of course)

    Where do you want to go to? Are the clients member of the domain and do you have an Enterprise Intermediate CA or Enterprise Root CA? IF yes, you might consider auto-enrollment.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: 2003 CA create non exportable PFX

      the clients will never be within 100 miles of the domain. All I am using certificates for is the webvpn authentication. I need to be able to email them a PFX file that they can import into there browser, but once imported it needs to not be exportable(so if they need a certificate for a new PC they need to call me).

      Comment


      • #4
        Re: 2003 CA create non exportable PFX

        And what if the user saves the email you send?
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: 2003 CA create non exportable PFX

          I know thats a possibility. But putting that aside I do not want the certificate to be exportable once imported.

          Comment

          Working...
          X