We are considering using digital certs to verify that the machine connecting to our VPN service is in fact a company-owned machine. So one of my co-workers here mentioned that for a knowledgable user (and our users are for the most part CompSci PhD's) it would be trivial to copy the cert keys to another non-company-owned system that they want to use. My question is (and I've searched on Serverfault first :) is there some way to prevent the user from copying (exporting) the keypairs over to another machine? Or make the copied cert invalid if they do so? We in IT plan to be the ones installing the certs on the machines, but our users do need to have admin access to their machines to do their work. As well, the user's machines run a mix of Windows, Mac OS X and Linux OS's.
Thanks in advance for any answers provided...
In software, no, absolutely not. Even in windows, keys marked as non-exportable can be exported with a well-known GUI hack.
I'd suggest using smart cards for this purpose (wherein the key is stored and used on the card and generally not disclosed to the computer). That way, at least, the inside hacker would have to find the administrative password for the card or otherwise hack it, which is a lot less trivial than copying one stored in software.
You could also consider using computer certificates that encode the computer's hostname, and ensuring your authenticating software validates it. However, as it is generally quite easy to change computers' hostnames, I would suggest this would offer hardly any benefit.
No. Certificates (like everything else) are just bits. And bits can always be copied.