2There is no binding of a certificate to a hardware. If you want this you need to use certificates which are integrated into the hardware and cannot be extracted from there, i.e smartcards. All major browser should support these for client certificates but of course you need to a have some smartcard reader on the client and a way to create these smartcards. Apart from that: try security.stackexchange.com for better help. – Steffen Ullrich – 2015-12-08T21:59:24.300

thanks Steffen, Are You aware of a viable solution with cheap USB devices? – ZioByte – 2015-12-08T22:02:34.530

I have no idea what cheap is for you but there are USB tokens which are essentially a smartcard + reader inside a USB device. Look for eToken (Alladin,, now at Gemalto) or similar devices. I have no idea of the prices. – Steffen Ullrich – 2015-12-08T22:10:49.437

Overall, smartcards are probably the right way to go. But here's another option. I don't know about Android, but for Windows, there are ways to issue "machine certificates" whose private keys are stored in the system's cert store, and can be marked as non-exportable (but can be exported with the right tools and know-how if you're determined). Windows machine certs are sometimes used for WPA2 EAP-TLS authentication to an enterprise Wi-Fi network, so the machine can be remotely administered/backed up even when no user is logged in. – Spiff – 2015-12-09T00:47:10.140