Digital Certificate types – faq

Posted on January 17, 2015

0



1. What is the difference between machine digital certificate and user certificate?

1.1 Answer Microsoft Windows specifically:

Local machine certificate store

This type of certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root.

Current user certificate store

This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.
Be aware that all current user certificate stores inherit the contents of the local machine certificate stores. For example, if a certificate is added to the local machine Trusted Root Certification Authorities certificate store, all current user Trusted Root Certification Authorities certificate stores also contain the certificate.

source: http://msdn.microsoft.com/en-us/library/windows/hardware/ff548653%28v=vs.85%29.aspx

1.2 Answer generally:

– For user certificates, the Subject Alternative Name (SubjectAltName) extension, if used, contains the user principal name (UPN). By default, the User certificate template is configured with the UPN.
– For computer certificates, the SubjectAltName extension, if used, contains the fully qualified domain name (FQDN) of the computer, which is also called the DNS name. By default, the Workstation Authentication certificate template is not configured with this value and must be reconfigured to meet this requirement

Source: https://social.technet.microsoft.com/Forums/windowsserver/en-US/cd2092ee-83c8-4caf-ade4-cb8ae11d9055/whats-the-difference-between-a-user-certificate-and-computer-certificate-in-active-directory?forum=winserversecurity

1.3 In Linux the system

The certificates are mainly in
/etc/ssl/certs
and the user has ist certificates mainly in
/home/user/.ssh

2. What is the difference between client and server Digital Certificate?

2.1. With extension nsCertType – Deprecated!

nsCertType = client
nsCertType = server

https://www.openssl.org/docs/apps/x509v3_config.html

2.2 With EKU extension (Extended Key usage)

extendedKeyUsage=serverAuth
extendedKeyUsage=clientAuth

Value                  Meaning
serverAuth             SSL/TLS Web Server Authentication.
clientAuth             SSL/TLS Web Client Authentication.

Command example can be found here: https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_