Recovery Certificate issue

Our recovery certificate recently expired.  I followed the instructions from Microsoft to create a new recovery certificate.  However when I try using the new recivery certificate, to create a newly encrypted folder, I get an error "Recovery policy configured for this system contains invalid recovery certificate."

Am I missing something?  Thanks!

I used the instructions from the following MS KB
Who is Participating?
Did you try the gpupdate /force to get the updated GPO.
The change might not have propagated.
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
Your recovery cert should be used to recover certs and should not be used by itself as there would not be anything else to recover it (unless you have multiple recovery certs created, which you may want to consider having 2 or 3 anyways..).

You should use a normal file encryption cert to encrypt a file and then use the recovery cert to recover it.

There can also be issues sometimes of trying to encrypt the folder itslef instead of the files within it, but that gets a little deep so unless that directly applies I won't get into it.
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

jmerullaAuthor Commented:
I did run gpupdate /force which did not help.  Still get the error message. :-(
jmerullaAuthor Commented:
As of right now, if I try to create a new document in a folder that was previouisly encrypted, I get "Access Denied" and I have full Admin rights.  Any suggestions?
ParanormasticCryptographic EngineerCommented:
Am I reading this correctly "was" as in it is not currently encrypted?  If that's the case then I would look at permissions on the folder and such.
If it is still encrypted, then you need to be able to do so under the correct user account for the encryption cert and using the same cert that it was encrypted under.
Could you please verify that you are using an end-user cert to encrypt with and not the recovery cert?
jmerullaAuthor Commented:
I am using the end user cert that was assigned to me.  I've had the same certificate since before the current one expired.  I used that certificate to create an encrypted folder and everything that I put in that folder encrypted without issue - until the certificate expired.

I followed Microsoft's instructions to create a new one, and everything went just like the instructions said.  That is until I tried to use it to create a new encrypted folder and got the error message about the system containing an invalid recovery certificate.

When I tried saving a new document in my previously encrypted folder, I get an "Access Denied" message.

I think the folder is still encypted since the folder name appears in green as any foler/file that has been encrypted.
ParanormasticCryptographic EngineerCommented:
Are you using an EFS cert issued from your CA or locally generated on the box?
Do you have both the old and new EFS certs installed, or did you remove the old one?  You should have both so that you can still access the old infomation, hopefully you have that backed up first with private key if you had removed it..
Usually an assigned EFS certificate is auto-renewed/regenerated by the system.  The process you went through is to generate a Recovery Certificate.  
Paranormastic, in an earlier post said that you should use the recovery certificate to recover your user EFS certificate.

Try the following: get into the encrypted folder.  Right click on any of the encrypted files and get the properties.  Then go through the advanced button and look at the details on the Compression and encryption section.  You might be able to add a certificate there, but I think you have to repeat this process one file at a time.
jmerullaAuthor Commented:
I got it resolved with MS tech support.  The part that was missing from their KB is that after the certificate has been created under Encrypting File System, it also has to be added to Trusted Root Certification Authorities and then run gpuodate /force to replicate to the other DCS.

1. Please first remove all the old recovery agent certificates. To do this,

(1). On your domain controller, click "Doman Security Policy" from "Administrative Tools".
(2). In the left pane, expand to: Public Key Polices\Encrypting File System
(3). In the right pane, make sure to delete all the items.
(4). Close "Domain Security Policy" and allow enough time for this change to be propagated to other domain controllers.

2. Request a new certificate for recovery agent.

(1). Log on to a domain controller with Administrator account.
(2). Click Start, click Run, type cmd , and then click OK.  
(3). At the command prompt, type cipher /r: file_name , and then press ENTER.

Note: file_name represents the file name that you want to use. Use a file name that is meaningful to you. Do not add an extension to the file name. Make sure that the new .cer and .pfx files are created in the same folder.  

3. Add the new certificate to the policy.
(1). On your domain controller, click "Doman Security Policy" from "Administrative Tools".
(2). In the left pane, expand to: Public Key Polices\Encrypting File System
(3). Right-click the "Encrypting File System", click "Add Data Recovery Agent"
(4). Follow the wizard to add the .cer file you created in step 2 above.
(5). Expand to another branch: Public Key Polices\Trusted Root Certification Authorities
(6). Right-click the "Trusted Root Certification Authorities", click Import. Follow the wizard to import the .cer file in step 2.

4. Quit the policy editor and allow enough time for these changes to be replicated to other DCs.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.