802.1x EAP-TLS configuration

Question

Hi, I'm a layman, I've recently become interested in 802.1x and I'm trying to set up authentication of computers to Ethernet ports using EAP-TLS in a small office. I will honestly admit that configuring this on the Windows 10 side is not very intuitive for me, I don't really understand how all the options available in the Authentication tab of the Ethernet card work.

Until a few days ago, it didn't work for me at all, but now I can see on the switch side that authentication and port unblocking is taking place. I am configuring this as follows, can you tell if I am not making any mistake? And one thing is bothering me, I completely don't understand at what stage the user certificate and private key are taken into account, because they are not given in the Authentication tab at all. Here I set up authentication for the computer and just this certificate/key is pulled out of the certificate database as needed? On what basis?

My attempt is like this:

1. figured out that for Windows it's better if I have the certificate in PKCS#12 (PFX) format - a single *.p12 file as a container, for the certificate itself and its key and CA certificate.
2. in Windows I open Microsoft Management Console (run -> mmc)
3. File -> Add/Remove Snap-In...
4. Certificates -> Add > Computer account -> Local computer
5. In Console Root -> Certificates -> Trusted Root Certification Authorities -> Certificates I right click and select All Tasks -> Import. There I select my *.p12 file.
6. Import certificate to Certificate store: Trusted Root Certification Authorities.
7. There are two certificates listed there: one is user certificate and one is CA certificate.
8. in the Ethernet connection properties under Authentication tab I check: Enable IEEE 802.1X authentication.
9. choose: Microsoft: Smart Card or other certificate
10. choose the option: When connecting: Use a certificate on this computer and click on Advanced - here I select my server's CA certificate from the Certificate Issuer list and click OK. (I don't actually know in this case when to provide a user certificate)
11. check the option: Verify the server's identity by validating the certificate and again select my server's CA certificate from the list.
12. In the Authentication tab under Additional Settings... I have the Specify authentication mode option checked and Computer authentication selected.

Answer 1

Hello Dan,

In a "domain" environment, computers can be configured (via a GPO or otherwise) to auto-enroll for certificates. This is probably the "normal" case for most companies.

One can direct individual computers to request a certificate from a certificate authority - the computers can then generate their own private keys (no need to distribute these in .pfx/.p12 files).

Another option is to distribute certificates and keys manually, as you are currently doing; the long-term manageability of this approach is questionable.

When manually importing the .p12 file, it would be best to use the "automatically select the certificate store" option, since normally the computer specific certificate should be stored in its "personal" store rather than the Trusted Root Certification Authorities store.

Certificates expire and will need to be replaced (perhaps automatically); rather than depending on identifying the particular certificate to use, one specifies the issuing authority (CA) - the client then selects a valid certificate from its personal store issued by that authority and that matches the purpose/use (e.g. client authentication).

Gary