802.1X: Certificate for computer authentication

4

1

I'm setting up wired 802.1X authentication using EAP-TLS on Windows 7.

There's a distinction between "User authentication" (authentication is done after the Windows logon, using the user's personal certificate) and "Computer authentication" (happens before logon).

Installing the certificate for "User authentication" was straightforward using the certificate import wizard, but I can't seem to figure out what to do differently if I want to use a given certificate for "Computer authentication". Does it go in a different certificate store?

This is important because the machines are supposed to have network connectivity even when there's no user logged on.

So where do I import a certificate for that purpose?

Bad Idea

Posted 2017-04-18T08:51:45.697

Reputation: 61

Answers

2

I have figured it out.

For the record, the certificate can be added by going via the "management console" (mmc.exe), adding the "Certificates" Snap-in (select "Computer account"). Therein, select the "Personal" cert store, right click, all tasks, Import.

The machine certificate goes into "Personal", the CA certificate into "Trusted Root Certificate Authorities".

Bad Idea

Posted 2017-04-18T08:51:45.697

Reputation: 61

Yes, and to add to the completeness of the answer, all this needs to be done in the "local computer" certificate store instead of the "current user" certificate store. – slantalpha – 2019-07-19T23:01:36.213

Asked: 2017-04-18T08:51:45.697

Viewed: 3 880 times

Active: 2017-04-18T11:13:18.350