CA root certificate

[michele.gullia@gmail.com]

Hi to all. This is my first post and my first step to the PKI

knowledge.

Someone have asked me if there is a way to make the Root Certificate

not exportable so only the one who have installed this certificate in

the machine can access via PEAP to the wifi network and in the same

time the user cannot pass this certificate to another PC.

A kind of security enanchement.

Ok...i think i have the answer and it's NO, but to be honest I'm too

new to this topic and I wont to be sure.

Thank for your intrest and sorry for my bad english

 

[S. Pidgorny]

You're right - the answer is resounding no. Certificate is public

information. It is presented to anybody requesting PEAP connection.

What you're looking for if protected private key. Use EAP-TLS instead of

PEAP, put the client certificate (along with private key) on a smart card

and that achieves the outlined goal.

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

<michele.gullia@gmail.com> wrote in message

news:f8501c23-1edd-4300-a1d3-e7b63168714c@z72g2000hsb.googlegroups.com...<span style="color:blue">

> Hi to all. This is my first post and my first step to the PKI

> knowledge.

> Someone have asked me if there is a way to make the Root Certificate

> not exportable so only the one who have installed this certificate in

> the machine can access via PEAP to the wifi network and in the same

> time the user cannot pass this certificate to another PC.

> A kind of security enanchement.

> Ok...i think i have the answer and it's NO, but to be honest I'm too

> new to this topic and I wont to be sure.

>

> Thank for your intrest and sorry for my bad english </span>