Blog | G5 Cyber Security

User vs Machine Certificates

G5 Cyber Security

TL;DR

Both users and machines can have certificates. Machine certificates are common for server authentication and code signing, while user certificates allow individuals to securely identify themselves (e.g., for email or VPN access). The key difference lies in what is being authenticated – the device itself or the person using it.

Understanding Certificates

A digital certificate is an electronic ‘passport’ that verifies the identity of a person, organisation, or device. It’s issued by a trusted Certificate Authority (CA).

1. Machine Certificates

  1. What they are: These certificates bind a public key to a specific computer or server.
  2. Common uses:
    • HTTPS/SSL/TLS: Securing websites (the padlock in your browser). The server presents its certificate to prove it is who it says it is.
    • Code Signing: Verifying the authenticity of software, ensuring it hasn’t been tampered with.
    • Server Authentication: Allowing other servers or services to trust this machine.
  3. How they work: The certificate is installed on the server/machine and used during secure connections. 
    openssl x509 -in /path/to/your/certificate.crt -text -noout

2. User Certificates

  1. What they are: These certificates bind a public key to an individual user, not the device they’re using.
  2. Common uses:
    • Email Signing and Encryption (S/MIME): Proving you sent an email and encrypting it so only the recipient can read it.
    • VPN Access: Authenticating a user to a Virtual Private Network.
    • Smart Cards: Certificates stored on physical cards for secure login or digital signatures.
    • Client Authentication: Verifying a user’s identity when connecting to a service.
  3. How they work: The certificate is typically installed in the user’s browser, email client, or operating system.
    • The user then uses this certificate during authentication processes (e.g., when prompted for a digital signature).

3. Key Differences Summarised

Feature Machine Certificate User Certificate
Authenticates The device/server The user
Installation Location Server, machine configuration Browser, email client, OS
Typical Use Cases HTTPS, code signing, server trust Email security, VPN access, digital signatures

4. Can a user have both?

Yes! A user might use a machine certificate to connect to a secure website and a user certificate to sign their emails. They are not mutually exclusive.

5. Obtaining Certificates

  1. Commercial CAs: Companies like DigiCert, Sectigo, GlobalSign provide certificates for a fee.
  2. Internal CAs: Organisations can set up their own CA to issue certificates internally (more complex).
  3. Let’s Encrypt: A free, automated, and open Certificate Authority primarily for TLS/SSL certificates.
Exit mobile version