0

Our organization is thinking to use client certificates to add a new factor in authentication for VPN. We have corporate laptops that would be pre-configured with client certificates and then given out to users. Given that, the user does not have admin access, and its a Windows OS, one hurdle that I observed, is to protect the certificate (and the private key) from being exported. To bypass this, a malicious user can export and reinstall the cert on their personal device, and that would not be ideal for us. I just want to block/password protect the export of the certificate (and the private key), or invalidate the cert if it's done.

I did search Stack Exchange first, and I found Prevent copying (exporting) private key from one machine to another? but it talks about users having admin access to their machine, which is not the case here.

Any other preferable way to constraint device accesses to a VPN is also appreciated!

Thanks in advance, for any answer/help. :)

Akash
  • 101
  • 2

1 Answers1

1

I just want to block/password protect the export of the certificate (and the private key), or invalidate the cert if it's done

You can apply password only to key access operations. If user has access to the key, then user can export it.

The only thing you can do is to store keys in TPM. User can freely access the key, but won't be able to export it to a file.

Crypt32
  • 6,639
  • 1
  • 15
  • 33