CA root certificate

[michele.gullia@gmail.com]

Hi to all. This is my first post and my first step to the PKI
knowledge.
Someone have asked me if there is a way to make the Root Certificate
not exportable so only the one who have installed this certificate in
the machine can access via PEAP to the wifi network and in the same
time the user cannot pass this certificate to another PC.
A kind of security enanchement.
Ok...i think i have the answer and it's NO, but to be honest I'm too
new to this topic and I wont to be sure.

Thank for your intrest and sorry for my bad english

 

[S. Pidgorny]

You're right - the answer is resounding no. Certificate is public
information. It is presented to anybody requesting PEAP connection.

What you're looking for if protected private key. Use EAP-TLS instead of
PEAP, put the client certificate (along with private key) on a smart card
and that achieves the outlined goal.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

wrote in message
news:f8501c23-1edd-4300-a1d3-e7b63168714c@z72g2000hsb.googlegroups.com...
> Hi to all. This is my first post and my first step to the PKI
> knowledge.
> Someone have asked me if there is a way to make the Root Certificate
> not exportable so only the one who have installed this certificate in
> the machine can access via PEAP to the wifi network and in the same
> time the user cannot pass this certificate to another PC.
> A kind of security enanchement.
> Ok...i think i have the answer and it's NO, but to be honest I'm too
> new to this topic and I wont to be sure.
>
> Thank for your intrest and sorry for my bad english