EFS certificate expired

Posted on 2007-07-19
Last Modified: 2013-12-04
we have a windows 2000 domain caontaining a mix of 2003 and 2000 servers . There are 2 DC's both of which are on 2000.
When trying to encrypt a file i get the following error.
Recovery policy for this system contains invalid recovery certificate.
I can find the cert in GP but not in the certificates snap in on any of the DC's
 so cannot renew.
Upon looking further i cannot find a CA for the domain? Is this normal?
Is there anyway i can find which server initally issued the cert?
Am considering installing certificate services on one of the servers but not at all sure if this is wise.
Question by:brettslater
    LVL 18

    Accepted Solution

    Is this a network you 'inherited'?
    No you can not find out which server issued the certificate.
    Maybe if you are lucky and your predecesor named it accordingly the certification path can give you a hint.

    BTW, don't install a CA on a DC. Otherwise you'll regret it when you want to do a demote later on.

    LVL 4

    Assisted Solution

    Yes, not having a CA for this is not unexpected - EFS is one of the few PKI-enabled applications that doesn't require a CA to work out of the box.

    If all you want to do is get back to being able to encrypt files, then I wouldn't worry about tracking down the recovery certificate back to where it was first issued, nor about setting up a CA.  I would recommend generating and deploying new recovery certificate ASAP and then having all users update their encrypted files ASAP.

    Follow these steps to create a DRA certificate:
    - start a command prompt
    - In the command prompt, type cipher.exe /R:filename.
    - Type the password at the prompt. This will create a new DRA certificate and the private key (.CER and .PFX files, respectively)

    After obtaining the certificate, follow these steps to designate a DRA in Group Policy:
    - Log on as someone who can edit/create Group Policy.
    - Open the GPO where you wish to configure the DRA certificate policy (best is the GPO that currently contains the DRA cert you're trying to fix)
    - browse Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System.
    - Right-click Encrypting File System and select Add Data Recovery Agent, which will start the Add Recovery Agent Wizard.
    - In the Wizard browser, import the .CER file that was created with the cipher /R utility. This will designate the DRA.

    Be sure to place the certificate and private key that was created with the cipher utility in a safe place. Don't leave them on the hard drive, because anyone that obtains them can decrypt the files that were created or opened since the DRA policy was updated with the new cert.

    Finally, after Group Policy has had enough time to update on all PCs, you can either ask users to run CIPHER.EXE /U at a command prompt, or you can add this command to a logon script.  It'll quickly update just the part of the encrypted files that contains the encryption keys, so it'll be a lot faster than the first time they enabled EFS.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now