1. What is the difference between machine digital certificate and user certificate?
1.1 Answer Microsoft Windows specifically:
Local machine certificate store
This type of certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root.
Current user certificate store
This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.
Be aware that all current user certificate stores inherit the contents of the local machine certificate stores. For example, if a certificate is added to the local machine Trusted Root Certification Authorities certificate store, all current user Trusted Root Certification Authorities certificate stores also contain the certificate.
1.2 Answer generally:
– For user certificates, the Subject Alternative Name (SubjectAltName) extension, if used, contains the user principal name (UPN). By default, the User certificate template is configured with the UPN.
– For computer certificates, the SubjectAltName extension, if used, contains the fully qualified domain name (FQDN) of the computer, which is also called the DNS name. By default, the Workstation Authentication certificate template is not configured with this value and must be reconfigured to meet this requirement
1.3 In Linux the system
The certificates are mainly in
and the user has ist certificates mainly in
2. What is the difference between client and server Digital Certificate?
2.1. With extension nsCertType – Deprecated!
nsCertType = client
nsCertType = server
2.2 With EKU extension (Extended Key usage)
serverAuth SSL/TLS Web Server Authentication.
clientAuth SSL/TLS Web Client Authentication.
Command example can be found here: https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_