Establish a mapping from a user certificate to the associated computer

Author Uwe GradeneggerPosted on Categories Certificate usage, Certification Authority, Certification Authority Database

Assume the following scenario:

  • A user's computer is stolen or infected with malware.
  • The integrity of certificates located on the computer can no longer be guaranteed.
  • The certificates of the user(s) that were requested on this computer must be revoked.
  • However, one would like to avoid revoking all certificates of a user.
  • Thus, a connection must be established between the user's certificates and the computer on which they were requested.

If the certificates were issued by Autoenrollment requested, we can take advantage of the fact that a corresponding attribute was part of the original certificate request, and that the certificate request is stored in the certificate authority database along with the certificate.

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

The method does not work if Credential Roaming or Roaming User Profiles are configured, since the private keys will migrate to other machines in such a case.

In the Certificate Authority Management Console (certsrv.msc), you first switch to the "Issued Certificates". Then, under "View" - "Filter...", a filtering of the displayed database entries is performed.

The filter is set to the "Requester Name" field. Only certificates that the relevant user has requested are to be displayed, in the example INTRA\rudi.

Then click on "View" - "Add/Remove Columns..." to add an additional column to the displayed database entries.

We specify that the "Binary Request" column should be output.

Now we are able to right-click the returned certificates in the result overview and select "All Tasks" - "Export Binary Data...".

We have the "Binary Request" output in the "formatted text version of data".

A text editor opens with a prepared output of the certificate request belonging to the certificate. Here you should find an attribute "Client Information" which contains, among other things, the host name of the associated computer.

en_USEnglish
de_DEDeutsch en_USEnglish