We help IT Professionals succeed at work.

Renewing expired EFS certificate

Haze0830 asked
Medium Priority
Last Modified: 2007-12-19
Ok...I tried to encrypt a file on my desktop today and got the error message "An error occurred applying attributes to file. Recovery policy configured for this system contains invalid recovery certificate." So naturally I googled it and searched the MS knowledge base and found that most likely a certificate had expired, etc, etc. So I searched thru the default domain policy and found the certificate that's being used in Windows-Security Settings-Public Keys -etc. The EFS certificate in use has certainly expired but the problem is that I can't seem to renew it. MS tells you to use the Certificate snap-in and use the default selection settings (I think it's like My User Account). I go thru all the steps but can't locate this certificate and, thus, can't renew it. Can anyone shed any light here? Thanks a bunch.
Watch Question

The original EFS File Recovery certificate is a self-signed certificate and
cannot be renewed.  You will have to replace that certificate.
1. Back up the original File Recovery certificate w/private key to a .pfx
file.  You'll need this file to recover encrypted files that may not get
updated to the new File Recovery certificate.  Do the backup in
MMC\Certificates snap-in on the DC that has the original certificate. (Log on
as Administrator to see this.)  Be sure the certificate you back up matches
the certificate that's in policy.

2. Run "cipher /r" to create a new File Recovery certificate (.Cer is the
public certificate and .pfx is the certificate w/the private key which should
be secured in a safe location.  The .pfx is what you use to recover files.)

3. Delete the expired certificate from EFS policy.

4. Add the new certificate (.cer file) to EFS policy.
Once policy refreshes, EFS will work again.

More information is here:


Gopal Krishna K


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Yes, I read that shortly after I posted this. The problem is that I can't back up the old one. The issue I think is that this server is not the ORIGINAL domain controller. The ORIGINAL one was replaced two months ago and is no longer on site. Thus, when i used the certificates snap-in to backup (or even view) the old one, there is no EFS cert to look at to begin with. Somehow though the defaul domain policy lists one (the old one I'm assuming as it has an expiration date of 12/2005 - almost a full year before the new server was even purchased. So what now?



Say I just go ahead and create a new one - no one that I know of encrypts files (or even knows that the option exists) so would it be that big a deal if I just replaced the old one? This is a small network - 9 users that really use it 24/7 - none of which are too computer savvy. Second off, how is there even one listed in the GPO if there isn't one technically on the server?
I would suggest that you create a new one and replace the one which you have mentioned as 12/2005. And then follow the document if you need more assistance.

Gopal Krishna K


That's the thing - there isn't an "old" one to replace. Even though the GPO specifies one to use - I can't locate the actual certificate via the steps MS gives you to replace one.


Well I created the new one and installed it where it needed to be. So...I guess I'm good to go. Thanks for the help.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.