locked
Certificates and client authentication. How to present certificates from Local Computer store instead of Current user's store RRS feed

  • Question

  • When using client authentication, the certificate shown to the server requiring the certificate is usually the current user's certificate stored in the current user's store (https://technet.microsoft.com/en-us/library/bb457116.f18zs05_big(l=en-us).jpg). This means that each user must have a certificate in their current user's store. Is there a way to force Windows to present a certificate stored in the local computer store  instead (http://www.malgreve.net/wp-content/uploads/2014/05/Local-Computer-Personal-Certificates-Store.png)? In this case, since the certificate is stored in the local computer store, it should be valid for every user.


    • Edited by MLKPM Monday, February 19, 2018 12:45 AM
    Sunday, February 18, 2018 11:44 AM

Answers

  • No. The connection attempt is being performed in the context of the current user, so only certificates within the Current User store are allowed.

    If you were doing, for example, an IPSec connection, where the connection was from the local machine account to the remote server, then the certificate would come from the local machine store.

    You simply have to issue certificates to each user.

    Brian

    • Proposed as answer by Brian Komar [MVP] Sunday, February 18, 2018 3:14 PM
    • Marked as answer by MLKPM Sunday, February 18, 2018 7:38 PM
    Sunday, February 18, 2018 3:14 PM

All replies

  • No. The connection attempt is being performed in the context of the current user, so only certificates within the Current User store are allowed.

    If you were doing, for example, an IPSec connection, where the connection was from the local machine account to the remote server, then the certificate would come from the local machine store.

    You simply have to issue certificates to each user.

    Brian

    • Proposed as answer by Brian Komar [MVP] Sunday, February 18, 2018 3:14 PM
    • Marked as answer by MLKPM Sunday, February 18, 2018 7:38 PM
    Sunday, February 18, 2018 3:14 PM
  • Hi Brian,

    Thank you very much for your reply. My example was about a client accessing a web application (behind a load balancer and requiring client authentication) by using the browser. As a result, from what you wrote, I presume that your answer still applies to this specific case. 

    Thank you again. 

    I read your book about PKI and certificate security and it really helped me understand more about this fascinating subject. It encouraged me to explore this area further. 



    • Edited by MLKPM Monday, February 19, 2018 12:39 AM
    Sunday, February 18, 2018 7:36 PM
  • Yep, when the client is accessing via a browser, the browser is running in the security context of (drumroll please)...

    The user, so only certs in the current user store are available.

    Brian

    Sunday, February 18, 2018 10:45 PM