Skip to content

Myths #2: PKI edition.

image

Take notice: My new feed address is now http://feed.feedcat.net/806052. Please re-subscribe.

BTW, did you know what do certificate template options like “Allow private key to be exported” or “Prompt the user during enrollment and require user input when the private key is used” really do? Do they make you more secure or not?

Certainly, some people who read my blog do know the answer, others have already guessed the answer: no. They don’t enforce any behavior on a client: it just communicate the requested by CA features.

A good example of it was windows 2003: while you weren’t able export the certificate through GUI you could do this with… some certificates. Furthermore, in Windows 2008 R2 (or Windows 7, as it goes) even some GUI instruments can export such a key. So you cannot restrict your user from exporting and moving the certificate.

Be careful and take care to think if you can trust what you see