1

If a wildcard certificate is provisioned for *.domain.fqdn, and has Client Authentication as a defined usage, does this mean the certificate can be used to essentially impersonate any domain machine?

My understanding is that it is up to the receiving entity in how it validates the certificate to machine, but I have not been able to properly ascertain if standard EAP-TLS/802.1x, or similar, do perform any further validation based on subject and/or SAN.

Thanks!

SmithPlatts
  • 113
  • 4
  • it depends on an application. If you are talking about 802.1x in Active Directory, then wildcard certificate is not acceptable for client computer authentication. – Crypt32 Jul 13 '21 at 06:54
  • @Crypt32 thank you for the information; would you happen to have some source doco on that? I'm not doubting, I just want to be able to pass information up the line. – SmithPlatts Jul 14 '21 at 04:18
  • does your use case fall to scenario provided in my previous comment? I mean, is it for use in 802.1x or authentication using Active Directory? – Crypt32 Jul 14 '21 at 07:53
  • The use case I have is that an ADCS template was configured with Server Authentication and Client Authentication, and a wildcard certificate was provisioned from that template. In this scenario, can that certificate now be used to impersonate any machine as part of that domain? From what I understand, standard web/SSL-based Client Auth will be dependant on the web application, and how it validates the certificate, but 802.1x or AD auth will not, but I cannot find any doco to support that. – SmithPlatts Jul 14 '21 at 12:19

1 Answers1

2

802.1x and Active Directory integrated authentication certificate requirements are outlined in the following document: Minimum client certificate requirements, specifically:

For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the fully qualified domain name (FQDN) of the client, which is also called the DNS name

NPS will lookup in AD for a computer account with dNSHostName attribute value matching with name in certificate (exact case-insensitive match is used). In the case of wildcard certificate, it won't match any computer account (normally), thus wildcard certificate cannot be used in Windows RADIUS client authentication.

Crypt32
  • 5,750
  • 12
  • 24
  • Thank you! I was missing the NPS/RADIUS link in my searching, which was why I missed this document. Appreciated @Crypt32 – SmithPlatts Jul 14 '21 at 23:56