Whether you’re trying to protect source code, company secrets, or just trying to keep your users safe, machine and user certificates are an important part of a multi-factor authentication system to secure your territory. In the first part of this two part series for deploying user and machine certificates using Group Policy, we will discuss what certificates are, best practices, and what they can be used for.
Latest posts by Andrew Jacops (see all)

What Are Certificates?

Certificates, defined in the standard X.509, are a form of electronic identity verifiers for users and devices on a network. They can be likened to birth certificates. When you are born a government agency issues you a certificate as proof that you were in fact born, the date and time of that occurrence, in what place, etc. You can then use that certificate to prove that you are who you claim to be and reap the benefits of having this verification such as a driver’s license, passport, and a job.

Certificate Information

Certificate Information

Certificate Authorities ^

In the example above, the government agency is the CA, or Certificate Authority, and the certificates are of course the birth certificates. A CA is used to issue digital certificates and verify their authenticity.

There are many different ideologies and best practices when it comes to utilizing a CA. Generally a multi-tiered approach is preferred to maximize the integrity of the CA. If it is compromised, certificates become worthless as anyone possessing the security keys on the CA can create trusted certificates for their own malicious purposes.

  1. One of the many methods of keeping a CA secure is the “White Room” approach.
  2. Create the CA completely off of the network
  3. Create an Issuing server and pair with the original CA
  4. Turn the original CA completely off and store in a secure, off-site location
  5. Segregate the Issuing server from any device that does not need to interact with it

Another approach that is becoming more popular especially because of the added layer of security is using a Hardware Security Module. An HSM stores the digital security keys and speeds the cryptographic process up. They come in many form factors such as USB key or hardware appliance, are tamper proof, and have secure cryptoprocessor chips onboard. They also can potentially replace the “White Room” approach because the keys are extremely secure.

Certificate Authorities

Certificate Authorities

Public Key Infrastructure ^

Although Public Key Infrastructure, or PKI, is out of the scope of this article and can fill many, many books worth of information, I feel that it is important to bring this process up as both certificates and CA’s are in integral part of the PKI technique.

Wikipedia defines PKI as a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Government agencies, corporations, and even small companies utilize the PKI technique or variations of it to secure their digital landscape.

The CA and certificates are two parts of this vast cryptographic system.

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)

What can certificates be used for? ^

More likely than not you are very familiar with one prominent type of certificate: the SSL certificate. Anywhere that you put payment or personal information into a web form, you always, or should always, check the validity of the certificate being used to secure or encrypt the information you’re submitting across the wire. An invalid certificate is almost always a red flag as is the complete lack of one when personal information is requested.Secure Socket Layer (SSL)

Secure Socket Layer (SSL)

Another use of certificates the one we’re more interested in: the ability to identify users and devices allowed on our network. When a user connects to a VPN several things can take place.

  1. Machine certificate validated
  2. User credentials/PIN validated
  3. User certificate validated
  4. Registry watermark validated
  5. User/device permitted or denied

In this particular case, only devices issued by the company should be able to connect to this particular VPN. Any device that is not issued directly such as personal laptops or smartphones can connect to a more locked down VPN where more secure information or servers cannot be accessed.

802.1X wired and wireless authentication is also a good reason to use certificates. This will inhibit the ability to connect any device to the network that is not specifically allowed to do so. In some cases with the use of a TACACS server, these certificates can be used to ascertain what VLAN the device or user can connect to without the need to reconfigure a port or pass out precious security keys.

Summary ^

As you can see, user and computer certificates are a vastly important part of securing a network from unauthorized or even improper use. By understanding what security techniques and uses certificates are a part of you will be better prepared to create a deployment plan and utilize them to their fullest extent.

In the next part, we will create and deploy these certificates using GPO. Until then, thanks for reading!


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account