Renewing expired EFS certificate

Posted on 2006-10-25
Last Modified: 2007-12-19
Ok...I tried to encrypt a file on my desktop today and got the error message "An error occurred applying attributes to file. Recovery policy configured for this system contains invalid recovery certificate." So naturally I googled it and searched the MS knowledge base and found that most likely a certificate had expired, etc, etc. So I searched thru the default domain policy and found the certificate that's being used in Windows-Security Settings-Public Keys -etc. The EFS certificate in use has certainly expired but the problem is that I can't seem to renew it. MS tells you to use the Certificate snap-in and use the default selection settings (I think it's like My User Account). I go thru all the steps but can't locate this certificate and, thus, can't renew it. Can anyone shed any light here? Thanks a bunch.
Question by:Haze0830
  • 4
  • 2

Accepted Solution

gopal_krishna earned 500 total points
ID: 17805938

The original EFS File Recovery certificate is a self-signed certificate and
cannot be renewed.  You will have to replace that certificate.
1. Back up the original File Recovery certificate w/private key to a .pfx
file.  You'll need this file to recover encrypted files that may not get
updated to the new File Recovery certificate.  Do the backup in
MMC\Certificates snap-in on the DC that has the original certificate. (Log on
as Administrator to see this.)  Be sure the certificate you back up matches
the certificate that's in policy.

2. Run "cipher /r" to create a new File Recovery certificate (.Cer is the
public certificate and .pfx is the certificate w/the private key which should
be secured in a safe location.  The .pfx is what you use to recover files.)

3. Delete the expired certificate from EFS policy.

4. Add the new certificate (.cer file) to EFS policy.
Once policy refreshes, EFS will work again.

More information is here:

Gopal Krishna K


Author Comment

ID: 17806845
Yes, I read that shortly after I posted this. The problem is that I can't back up the old one. The issue I think is that this server is not the ORIGINAL domain controller. The ORIGINAL one was replaced two months ago and is no longer on site. Thus, when i used the certificates snap-in to backup (or even view) the old one, there is no EFS cert to look at to begin with. Somehow though the defaul domain policy lists one (the old one I'm assuming as it has an expiration date of 12/2005 - almost a full year before the new server was even purchased. So what now?

Author Comment

ID: 17806863

Say I just go ahead and create a new one - no one that I know of encrypts files (or even knows that the option exists) so would it be that big a deal if I just replaced the old one? This is a small network - 9 users that really use it 24/7 - none of which are too computer savvy. Second off, how is there even one listed in the GPO if there isn't one technically on the server?
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center


Expert Comment

ID: 17807016
I would suggest that you create a new one and replace the one which you have mentioned as 12/2005. And then follow the document if you need more assistance.

Gopal Krishna K

Author Comment

ID: 17811334
That's the thing - there isn't an "old" one to replace. Even though the GPO specifies one to use - I can't locate the actual certificate via the steps MS gives you to replace one.

Author Comment

ID: 17811885
Well I created the new one and installed it where it needed to be. So...I guess I'm good to go. Thanks for the help.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Syslinux UEFI USB boot 4 546
windows 10 anniversary update -- download size ? 4 750
problem creating new luks volume on new VM disk 5 109
Issue to mail 11 110
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question