Public Key Infrastructure (PKI) Technology require issuance of digital certificates by the Certificate Authority to each valid user where the digital certificate will be needed whenever the user performing the PKI operations such as Login, Signing, etc. The effectiveness and security of any PKI system rely critically on the security of the certificates or perhaps the user’s Private Keys.
In term of the certificate, there are 2 common ways where the certificates are defined:-
Hardware based Certificate
A portable storage will be used to store the “certificates” and usually PKI smart card or USB token are the most common options. Most PKI security devices (smart card or USB token) support key pair generation in hardware, subsequently invoked by digital signature firmware also in the chip, so under no circumstances need the private key ever leave the secure environment, thus will never expose to potential threat.
This is where the “certificates” are stored in the user’s computer where the private keys are often stored in a standard registry or file system location. The generation of PKI key pairs likely to be done either on the user computer or at the Certificate Authority server end.
Weaknesses of Soft Certificate
There are significant security compromises as soft certificates often stored in the standard registry or file locations which are vulnerable to various attacks where the private key may be stolen or substituted, usually without the user even being aware of it.
Platform or Machine Dependency
Some soft certificates disallow exporting features thus the user can only use it at the only computer that already installed with the specific soft certificates. Whereas some soft certificates allow exporting but typically credential exported from one browser can only be loaded back to a browser from the same manufacturer, also there are risks of private keys being exposed during exporting process.
It will involve more steps from the initial installation to exporting of certificate (when changing computer) which additional user training might be necessary.