What's the difference between managing certificates for a user account and for a computer account?

accounts windows certificate pki
5,359

The difference is exactly what it says. With Windows, certificates get assigned to accounts. So, if you want to apply a certificate to a specific computer, that's done by assigning the certificate to the computer account. This is a slight difference that's mainly just semantic when compared to *nix systems, where a user-certificate would be stored in the user's directory some where, and a computer certificate would typically be found in a system directory somewhere.

Of course, as you noticed with your problem, the difference is that the computer account applies to the machine, and the user account applies to the user. If you need your machine to be authenticated with public key crypto (like an SSL cert for https, as the most common example), the certificate needs to be associated with the machine, not the user. If it's a user that you want to authenticate, rather than the whole machine, the certificate needs to be associated with the user.

Practically speaking, the difference you'll see in the certificate management snap-in is which "personal" certificate store you see and are able to manage - the one for the user account or the computer account... or for a service account, if you select that one. As you can see in the screenclip below, on my company workstation, my user has a certificate for code signing purposes, and my computer has a certificate for authentication when using secured protocols (RDP, HTTPS, TLS, etc.) - and they're different certificate stores, which you can see from their different paths.

As a result, my user can sign the PowerShell scripts I create, but my machine cannot. This is important, because the whole reason that I set up code signing certificates was because other coworkers were causing problems deploying broken copy-pasta scripts to our production servers, and I don't want them to get around that by simply logging on to my machine. Similarly, my user cannot claim to be machine, because my user doesn't have my machine certificate.

enter image description here

Don't ask me why Microsoft didn't design their certificate management snap-in so that you could view the user's and the machine's personal certificate stores at the same time in the same window, but they didn't. I would have done it differently, if they'd asked me, but instead, they paid someone else ungodly sums of money for something worse.

So because it makes a difference which "Personal" certificate store you're managing, and Microsoft paid someone other than me to design and create their certificate management snap-in, you have to select which account's certificates you want to manage when you add the snap-in.

Share:
5,359
daisy
Author by

daisy

Updated on September 18, 2022

Comments

  • daisy
    daisy over 1 year

    We have some domain-joined computers that were unable to import a third party root cert as a trusted cert provider. In trying to fix this, I noticed that when we go to use the certificate management snap-in, we get a prompt like in the screenclip below.

    enter image description here

    My question is, what's the difference between the user account and the computer account in the certificate management snap-in?

    • lbanz
      lbanz over 11 years
      I believe if you import it with the computer account, the certificate will be added to everyone's account whereas if you use a user account it will only be added to that specific user.
    • daisy
      daisy over 11 years
      @lbanz but after import the cert as trusted ca provider, I still see it as untrusted when I double click on the cer file
  • Ryan Bolger
    Ryan Bolger about 9 years
    You can just add a second (or more) instance of the Certificates snap-in in the same MMC console. One for Computer, one for user.
  • Massimo
    Massimo almost 7 years
    The answer is good, but maybe the rant about the UI (and especially about the payment of UI designers) could have been omitted...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenVPN with a Windows Certificate Services PKI
What is causing warning on a certificate's basicConstraints?
Generating an RSA key pair in powershell
Java Virtual Machine Launcher Error: Invalid or Corrupt Jar file
How do you use certmgr to add a certificate to Trusted Publishers in Excel?
Self Signed Certificate in Windows without makecert?
How to debug ERR_PROXY_CERTIFICATE_INVALID?
Identifying program attempting to install certificate on windows
How can I get around a "Can not verify rule set jar" error when accessing a website
How can I tell what version of Windows came on a laptop?