[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7892
  • Last Modified:

Renewing expired EFS certificate

Ok...I tried to encrypt a file on my desktop today and got the error message "An error occurred applying attributes to file. Recovery policy configured for this system contains invalid recovery certificate." So naturally I googled it and searched the MS knowledge base and found that most likely a certificate had expired, etc, etc. So I searched thru the default domain policy and found the certificate that's being used in Windows-Security Settings-Public Keys -etc. The EFS certificate in use has certainly expired but the problem is that I can't seem to renew it. MS tells you to use the Certificate snap-in and use the default selection settings (I think it's like My User Account). I go thru all the steps but can't locate this certificate and, thus, can't renew it. Can anyone shed any light here? Thanks a bunch.
0
Haze0830
Asked:
Haze0830
  • 4
  • 2
1 Solution
 
gopal_krishnaCommented:

The original EFS File Recovery certificate is a self-signed certificate and
cannot be renewed.  You will have to replace that certificate.
1. Back up the original File Recovery certificate w/private key to a .pfx
file.  You'll need this file to recover encrypted files that may not get
updated to the new File Recovery certificate.  Do the backup in
MMC\Certificates snap-in on the DC that has the original certificate. (Log on
as Administrator to see this.)  Be sure the certificate you back up matches
the certificate that's in policy.

2. Run "cipher /r" to create a new File Recovery certificate (.Cer is the
public certificate and .pfx is the certificate w/the private key which should
be secured in a safe location.  The .pfx is what you use to recover files.)

3. Delete the expired certificate from EFS policy.

4. Add the new certificate (.cer file) to EFS policy.
Once policy refreshes, EFS will work again.

More information is here:

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Regards
Gopal Krishna K

Thanks.
Pat
0
 
Haze0830Author Commented:
Yes, I read that shortly after I posted this. The problem is that I can't back up the old one. The issue I think is that this server is not the ORIGINAL domain controller. The ORIGINAL one was replaced two months ago and is no longer on site. Thus, when i used the certificates snap-in to backup (or even view) the old one, there is no EFS cert to look at to begin with. Somehow though the defaul domain policy lists one (the old one I'm assuming as it has an expiration date of 12/2005 - almost a full year before the new server was even purchased. So what now?
0
 
Haze0830Author Commented:
ALSO...

Say I just go ahead and create a new one - no one that I know of encrypts files (or even knows that the option exists) so would it be that big a deal if I just replaced the old one? This is a small network - 9 users that really use it 24/7 - none of which are too computer savvy. Second off, how is there even one listed in the GPO if there isn't one technically on the server?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
gopal_krishnaCommented:
I would suggest that you create a new one and replace the one which you have mentioned as 12/2005. And then follow the document if you need more assistance.

regards
Gopal Krishna K
0
 
Haze0830Author Commented:
That's the thing - there isn't an "old" one to replace. Even though the GPO specifies one to use - I can't locate the actual certificate via the steps MS gives you to replace one.
0
 
Haze0830Author Commented:
Well I created the new one and installed it where it needed to be. So...I guess I'm good to go. Thanks for the help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now