From a subordinate Enterprise CA I want to generate a user certificate that serves as an authentication method for VPN connections. I want to install this certificate with autoenroll on the domain users with a GPO. There is an option in the certificate to prevent users from exporting the private key of this certificate. Is it more secure if I configure the certificate with this option, will it have no impact?
1 Answer
It is not "more secure". There are free tools to export the private key. This means that the certificate can be emailed to anyone and they can use it from anywhere.
This is why smart cards exist. They provide non-repudiation by disallowing export and controlling access to the certificate secrets. A TPM can also function as a virtual smart card.
