Is it possible that the CA certificate should only be associated with one device? means one-time import.

[liyousheng]

For security reasons, when a CA Client certificate is installed once, can it be restricted from being installed on other devices?

I means if a pk12 certificate is leaked, how can I ensure that the certificate can‘t be installed again?

[rafall92]

No, you can't. Pk12 is not issued per device.

[primetomas]

There is nothing in the certificate itself that can prevent this if you are distributing private keys and certificate in P12 files, and if the devices are not trustworthy. You can link a certificate to a specific device serial number of course, and then it is up to the trustowrthiness of the devices (that they can'f fake their serial while using the cert) and the validation to validate serial number.
To make it really secure, it is about the storage of the private key, as it's all about the private key security not about the certificate. If devices generate their private keys themselves in secure hardware, and use an enrollment protocol such as ACME with Device Attestation or CMP, then it is impossible to another device to use some other certificate since the private key is locked to a specific device.

[liyousheng]

Thanks a lot!
Is there any tutorial on how to implement this method?

[primetomas]

We have this. But it will be an Enterprise feature:
https://www.keyfactor.com/blog/using-acme-to-automate-certificates-a-step-by-step-guide/
https://docs.keyfactor.com/ejbca/latest/acme-device-attest-01-challenge-poc
mentioned here: #705

You can do similar things, except the standardized device attestation, with CMP or EST, both which are great protocols to use for devices and used extensively in the industry.