Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3381
  • Last Modified:

EFS certificate expired

we have a windows 2000 domain caontaining a mix of 2003 and 2000 servers . There are 2 DC's both of which are on 2000.
When trying to encrypt a file i get the following error.
Recovery policy for this system contains invalid recovery certificate.
I can find the cert in GP but not in the certificates snap in on any of the DC's
 so cannot renew.
Upon looking further i cannot find a CA for the domain? Is this normal?
Is there anyway i can find which server initally issued the cert?
Am considering installing certificate services on one of the servers but not at all sure if this is wise.
2 Solutions
Is this a network you 'inherited'?
No you can not find out which server issued the certificate.
Maybe if you are lucky and your predecesor named it accordingly the certification path can give you a hint.

BTW, don't install a CA on a DC. Otherwise you'll regret it when you want to do a demote later on.

Yes, not having a CA for this is not unexpected - EFS is one of the few PKI-enabled applications that doesn't require a CA to work out of the box.

If all you want to do is get back to being able to encrypt files, then I wouldn't worry about tracking down the recovery certificate back to where it was first issued, nor about setting up a CA.  I would recommend generating and deploying new recovery certificate ASAP and then having all users update their encrypted files ASAP.

Follow these steps to create a DRA certificate:
- start a command prompt
- In the command prompt, type cipher.exe /R:filename.
- Type the password at the prompt. This will create a new DRA certificate and the private key (.CER and .PFX files, respectively)

After obtaining the certificate, follow these steps to designate a DRA in Group Policy:
- Log on as someone who can edit/create Group Policy.
- Open the GPO where you wish to configure the DRA certificate policy (best is the GPO that currently contains the DRA cert you're trying to fix)
- browse Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System.
- Right-click Encrypting File System and select Add Data Recovery Agent, which will start the Add Recovery Agent Wizard.
- In the Wizard browser, import the .CER file that was created with the cipher /R utility. This will designate the DRA.

Be sure to place the certificate and private key that was created with the cipher utility in a safe place. Don't leave them on the hard drive, because anyone that obtains them can decrypt the files that were created or opened since the DRA policy was updated with the new cert.

Finally, after Group Policy has had enough time to update on all PCs, you can either ask users to run CIPHER.EXE /U at a command prompt, or you can add this command to a logon script.  It'll quickly update just the part of the encrypted files that contains the encryption keys, so it'll be a lot faster than the first time they enabled EFS.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now