We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


EFS certificate expired

Medium Priority
Last Modified: 2013-12-04
we have a windows 2000 domain caontaining a mix of 2003 and 2000 servers . There are 2 DC's both of which are on 2000.
When trying to encrypt a file i get the following error.
Recovery policy for this system contains invalid recovery certificate.
I can find the cert in GP but not in the certificates snap in on any of the DC's
 so cannot renew.
Upon looking further i cannot find a CA for the domain? Is this normal?
Is there anyway i can find which server initally issued the cert?
Am considering installing certificate services on one of the servers but not at all sure if this is wise.
Watch Question

Top Expert 2007
Is this a network you 'inherited'?
No you can not find out which server issued the certificate.
Maybe if you are lucky and your predecesor named it accordingly the certification path can give you a hint.

BTW, don't install a CA on a DC. Otherwise you'll regret it when you want to do a demote later on.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Yes, not having a CA for this is not unexpected - EFS is one of the few PKI-enabled applications that doesn't require a CA to work out of the box.

If all you want to do is get back to being able to encrypt files, then I wouldn't worry about tracking down the recovery certificate back to where it was first issued, nor about setting up a CA.  I would recommend generating and deploying new recovery certificate ASAP and then having all users update their encrypted files ASAP.

Follow these steps to create a DRA certificate:
- start a command prompt
- In the command prompt, type cipher.exe /R:filename.
- Type the password at the prompt. This will create a new DRA certificate and the private key (.CER and .PFX files, respectively)

After obtaining the certificate, follow these steps to designate a DRA in Group Policy:
- Log on as someone who can edit/create Group Policy.
- Open the GPO where you wish to configure the DRA certificate policy (best is the GPO that currently contains the DRA cert you're trying to fix)
- browse Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System.
- Right-click Encrypting File System and select Add Data Recovery Agent, which will start the Add Recovery Agent Wizard.
- In the Wizard browser, import the .CER file that was created with the cipher /R utility. This will designate the DRA.

Be sure to place the certificate and private key that was created with the cipher utility in a safe place. Don't leave them on the hard drive, because anyone that obtains them can decrypt the files that were created or opened since the DRA policy was updated with the new cert.

Finally, after Group Policy has had enough time to update on all PCs, you can either ask users to run CIPHER.EXE /U at a command prompt, or you can add this command to a logon script.  It'll quickly update just the part of the encrypted files that contains the encryption keys, so it'll be a lot faster than the first time they enabled EFS.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.