Renewing expired EFS certificate

Posted on 2006-10-25
Last Modified: 2007-12-19
Ok...I tried to encrypt a file on my desktop today and got the error message "An error occurred applying attributes to file. Recovery policy configured for this system contains invalid recovery certificate." So naturally I googled it and searched the MS knowledge base and found that most likely a certificate had expired, etc, etc. So I searched thru the default domain policy and found the certificate that's being used in Windows-Security Settings-Public Keys -etc. The EFS certificate in use has certainly expired but the problem is that I can't seem to renew it. MS tells you to use the Certificate snap-in and use the default selection settings (I think it's like My User Account). I go thru all the steps but can't locate this certificate and, thus, can't renew it. Can anyone shed any light here? Thanks a bunch.
Question by:Haze0830
  • 4
  • 2

Accepted Solution

gopal_krishna earned 500 total points
ID: 17805938

The original EFS File Recovery certificate is a self-signed certificate and
cannot be renewed.  You will have to replace that certificate.
1. Back up the original File Recovery certificate w/private key to a .pfx
file.  You'll need this file to recover encrypted files that may not get
updated to the new File Recovery certificate.  Do the backup in
MMC\Certificates snap-in on the DC that has the original certificate. (Log on
as Administrator to see this.)  Be sure the certificate you back up matches
the certificate that's in policy.

2. Run "cipher /r" to create a new File Recovery certificate (.Cer is the
public certificate and .pfx is the certificate w/the private key which should
be secured in a safe location.  The .pfx is what you use to recover files.)

3. Delete the expired certificate from EFS policy.

4. Add the new certificate (.cer file) to EFS policy.
Once policy refreshes, EFS will work again.

More information is here:

Gopal Krishna K


Author Comment

ID: 17806845
Yes, I read that shortly after I posted this. The problem is that I can't back up the old one. The issue I think is that this server is not the ORIGINAL domain controller. The ORIGINAL one was replaced two months ago and is no longer on site. Thus, when i used the certificates snap-in to backup (or even view) the old one, there is no EFS cert to look at to begin with. Somehow though the defaul domain policy lists one (the old one I'm assuming as it has an expiration date of 12/2005 - almost a full year before the new server was even purchased. So what now?

Author Comment

ID: 17806863

Say I just go ahead and create a new one - no one that I know of encrypts files (or even knows that the option exists) so would it be that big a deal if I just replaced the old one? This is a small network - 9 users that really use it 24/7 - none of which are too computer savvy. Second off, how is there even one listed in the GPO if there isn't one technically on the server?
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.


Expert Comment

ID: 17807016
I would suggest that you create a new one and replace the one which you have mentioned as 12/2005. And then follow the document if you need more assistance.

Gopal Krishna K

Author Comment

ID: 17811334
That's the thing - there isn't an "old" one to replace. Even though the GPO specifies one to use - I can't locate the actual certificate via the steps MS gives you to replace one.

Author Comment

ID: 17811885
Well I created the new one and installed it where it needed to be. So...I guess I'm good to go. Thanks for the help.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, ( because one time I did this and I essentially had a bricked …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question