Whether you use Windows, macOS, or any other operating system, deploying digital certificates for your device can be the most impactful step to strengthening your network security. Digital certificates use superior asymmetric encryption, which uses two pairs of public and private keys separately, making it impossible to crack without deciphering the hidden private key. Certificates are effectively immune to being stolen, unlike passwords.
Although there are many types of digital certificates, the distinction of user vs. device/machine certificates only applies to Windows and macOS operating systems. Here we will explain how you can enable machine certificate authentication for your Windows devices.
What is a Machine Certificate?
Machine certificates are X.509 digital certificates generated by a Public Key Infrastructure (PKI) and issued to a machine or device. They’re also sometimes called “device certificates” or “computer certificates.”
Machine certificates are typically deployed to machines that are not shared or not used by end-users at all (like servers, for example). By contrast, user certificates are deployed to individuals that may use a shared computer or device to access the network.
In both cases, a certificate provides valuable identity context about the entity accessing the network. A machine certificate has various identifying attributes which it assigns to the devices on which it is installed, such as user name, serial number, location of the issuer, issuance time, Date, etc.
Where are Machine Certificates Stored in Windows?
In Windows, all the certificates, including machine certificates, are stored locally in the Certificate Store. The operating system stores the certificates from various certification authorities and is further classified into two types:
- Local machine certificate store
- Current user certificate store
Local machine certificate store
The local computer certificate store plays the dual role of acting as global to all the users of the device and local to the device itself. You can locate the “Local machine certificates store” in the registry under the HKEY_LOCAL_MACHINE root.
Current user certificate store
It is also interesting to note that almost all the “Current user certificate store” ( except the Current User/Personal store ) is able to inherit the contents of the local machine certificate stores. For example, if you add a certificate to the local machine Trusted Root CA certificate store, all current user Trusted Root CA certificate stores would automatically inherit the certificate.
How to configure Machine Certificate on Windows?
You can allow both domain and non-domain members to use certificates for authentication. To enroll devices for machine certificates, you can either use Microsoft’s Active Directory Certificate Services (AD CS) or any other reliable commercial PKI provider like SecureW2’s JoinNow Connector PKI.
Configuring AD CS for Windows Machine Certificate Auth
AD CS is Microsoft’s legacy utility for generating certificates and can be extended to build a PKI platform that allows you to distribute and revoke them as well.
For domain members, the process is simple. You design a certificate template and deploy it to devices using Group Policy. Machine certificates are deployed only after the members start their devices.
For non-domain members, you’ll need to configure certificate mapping to associate the cert with the non-domain member. That method includes additional identifying information on the certificate so you can use IPsec to match the cert to the user/device.
Since nearly every org has a license for Windows Server and thus access to AD CS, this method is very accessible. Unfortunately, AD CS was designed for on-premise Active Directory environments, a significant step backward in today’s cloud world. AD CS can be extended to the Azure AD cloud with some limitations but still requires on-premise components, vastly increasing the complexity and costs of maintaining it.
Configuring SecureW2 PKI for Windows Machine Certificate Auth
As we have seen, AD CS is best suited for organizations working on an on-premise setup using an outdated Active Directory as the Identity Provider. Thus it’s always advisable to use our SecureW2’s Managed PKIs for Microsoft environments because they don’t need the lengthy deployment process and are far less expensive than on-prem setups.
AD CS does not generally have a certificate management feature, but we have an entire certificate management portal with single-pane GUI that insights into every certificate. You can also customize your certs with tons of attributes for truly powerful authentication policies. We are vendor neutral and compatible with almost all cloud IDPs to provide a robust Certificate platform.
The Best Machine Certificate Authentication Solution
It is evident that manually configuring certificates or using on-premise environments is a step backward from the contemporary best practice of cloud-based certificate authentication. However, we understand that some organizations struggle to switch to make the switch due to a lack of proper expertise and knowledge.
For those organizations, SecureW2’s product suite is the solution. We provide everything you need for certificate-based authentication, from device onboarding to certificate revocation, in a vendor-neutral package that can be integrated into your existing network. Here’s our budget-friendly pricing and a one-stop gateway for your secure network authentication solutions.