question

Learning-8652 avatar image
0 Votes"
Learning-8652 asked LimitlessTechnology-2700 answered

Device Cert on MAC

We have some issues with our Macs and need some insight from any one here in forum please.



We use PKI issued certs for client device access to apps via Azure AD Conditional Access rules, and to AnyConnect client VPN. For both of these use cases the auth is leveraging the User issued certificates.

At the same time while we issue User certificates, we also issue Device certificates to all endpoints. Our Macs have an issue with having both device and user cert, so we are considering no longer issuing device certs and only issuing user certs.

Can some one please provide any thoughts on this proposal, potential issues if devices no longer have device and only user certs, and anything it may impact?

windows-server-security
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi @Learning-8652

There are a number of differences between device and user certificates.

For user certificates, the Subject Alternative Name (SubjectAltName) extension, if used, contains the user principal name (UPN). By default, the User certificate template is configured with the UPN.

For computer certificates, the SubjectAltName extension, if used, contains the fully qualified domain name (FQDN) of the computer, which is also called the DNS name. By default, the Workstation Authentication certificate template is not configured with this value and must be reconfigured to meet this requirement.

For details:

Computer and User Certificate Requirements
http://technet.microsoft.com/en-us/library/dd197531(v=WS.10).aspx

In addition, I'd like to share some related article for your reference:

Certificates
http://technet.microsoft.com/en-us/library/cc700805.aspx

How Certificates Work
http://technet.microsoft.com/en-us/library/cc776447(v=WS.10).aspx

You have to be on a domain computer to get a User cert issued to you. This could be the reason you’re having problems with your Macs.

I do hope this answers your question.

--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.