3

I am currently implementing an EAP/TLS WIFI implementation to replace our EAP/MSCHAP2 wifi implementation. I am using Windows Server 2008 and I've installed a certificate authority. User certificates are pushed using group policy. A wireless network policy is pushed using group policy as well. Everything works fine and connecting to wifi all works on the clients.

I did notice that the CA server creates a new user certificate for every device that logs on to the domain. So, let's assume you have 2 laptops and they both logon to the domain as the same user, they will both have a unique user certificate that is installed. Even though it all works fine and this does not cause any problems, I am really wondering what the whole idea behind this is.

I would expect that every user has 1 certificate and if a new device logs on to the domain, the same certificate will be issued. If a laptop gets stolen, it's easy to revoke the user certificate and create a new one. In the current scenario I need to figure out which certificate needs to be revoked and that feels wrong to me. People mentioned to me, that this gives more "enterprise" flexibility, however, I still don't see the point. If you want to have multiple user certificates for whatever reason (i.e. use them for different scenarios), this can easily be solved using a different sub ca and that feels like a proper solution to me. In addition to that, certificates are used to authenticate an user. If you would implement the same reasoning/logic using username/password systems (i.e. every laptop has a different password for the same user) people would think that this is very stupid.

So, I am missing the whole point of this. Can someone clarify why this is? Is it possible to implement this in a way that the CA will reissue the same certificate to every device that authenticates to the domain using the same user name?

squillman
  • 37,618
  • 10
  • 90
  • 145
gerwout
  • 33
  • 4

1 Answers1

3

I'm going to hypothesize that you're not using Roaming User Profiles, AppData Folder Redirection, or Credential Roaming in your environment. These features would allow the users' certificates to "follow" them as they move between computers. Because you're not using any of these features it's necessary for new certificates to be created. The old certificates can't be "re-issued" because the private key isn't present on the subsequent computer that the user is using.

I'd read-up on the three methods for "roaming" credentials between client computers to see which one will work best in your environment.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328