Renewing expired EFS certificate

Posted on 2006-10-25
Last Modified: 2007-12-19
Ok...I tried to encrypt a file on my desktop today and got the error message "An error occurred applying attributes to file. Recovery policy configured for this system contains invalid recovery certificate." So naturally I googled it and searched the MS knowledge base and found that most likely a certificate had expired, etc, etc. So I searched thru the default domain policy and found the certificate that's being used in Windows-Security Settings-Public Keys -etc. The EFS certificate in use has certainly expired but the problem is that I can't seem to renew it. MS tells you to use the Certificate snap-in and use the default selection settings (I think it's like My User Account). I go thru all the steps but can't locate this certificate and, thus, can't renew it. Can anyone shed any light here? Thanks a bunch.
Question by:Haze0830
  • 4
  • 2

Accepted Solution

gopal_krishna earned 500 total points
ID: 17805938

The original EFS File Recovery certificate is a self-signed certificate and
cannot be renewed.  You will have to replace that certificate.
1. Back up the original File Recovery certificate w/private key to a .pfx
file.  You'll need this file to recover encrypted files that may not get
updated to the new File Recovery certificate.  Do the backup in
MMC\Certificates snap-in on the DC that has the original certificate. (Log on
as Administrator to see this.)  Be sure the certificate you back up matches
the certificate that's in policy.

2. Run "cipher /r" to create a new File Recovery certificate (.Cer is the
public certificate and .pfx is the certificate w/the private key which should
be secured in a safe location.  The .pfx is what you use to recover files.)

3. Delete the expired certificate from EFS policy.

4. Add the new certificate (.cer file) to EFS policy.
Once policy refreshes, EFS will work again.

More information is here:

Gopal Krishna K


Author Comment

ID: 17806845
Yes, I read that shortly after I posted this. The problem is that I can't back up the old one. The issue I think is that this server is not the ORIGINAL domain controller. The ORIGINAL one was replaced two months ago and is no longer on site. Thus, when i used the certificates snap-in to backup (or even view) the old one, there is no EFS cert to look at to begin with. Somehow though the defaul domain policy lists one (the old one I'm assuming as it has an expiration date of 12/2005 - almost a full year before the new server was even purchased. So what now?

Author Comment

ID: 17806863

Say I just go ahead and create a new one - no one that I know of encrypts files (or even knows that the option exists) so would it be that big a deal if I just replaced the old one? This is a small network - 9 users that really use it 24/7 - none of which are too computer savvy. Second off, how is there even one listed in the GPO if there isn't one technically on the server?
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails


Expert Comment

ID: 17807016
I would suggest that you create a new one and replace the one which you have mentioned as 12/2005. And then follow the document if you need more assistance.

Gopal Krishna K

Author Comment

ID: 17811334
That's the thing - there isn't an "old" one to replace. Even though the GPO specifies one to use - I can't locate the actual certificate via the steps MS gives you to replace one.

Author Comment

ID: 17811885
Well I created the new one and installed it where it needed to be. So...I guess I'm good to go. Thanks for the help.

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now