Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Recovery Certificate issue

Posted on 2008-10-14
10
Medium Priority
?
693 Views
Last Modified: 2012-06-27
Our recovery certificate recently expired.  I followed the instructions from Microsoft to create a new recovery certificate.  However when I try using the new recivery certificate, to create a newly encrypted folder, I get an error "Recovery policy configured for this system contains invalid recovery certificate."

Am I missing something?  Thanks!

I used the instructions from the following MS KB

http://support.microsoft.com/default.aspx/kb/937536
0
Comment
Question by:jmerulla
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 80

Expert Comment

by:arnold
ID: 22715156
Did you try the gpupdate /force to get the updated GPO.
The change might not have propagated.
0
 
LVL 5

Accepted Solution

by:
JBart_17 earned 1000 total points
ID: 22715157
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 1000 total points
ID: 22715162
Your recovery cert should be used to recover certs and should not be used by itself as there would not be anything else to recover it (unless you have multiple recovery certs created, which you may want to consider having 2 or 3 anyways..).

You should use a normal file encryption cert to encrypt a file and then use the recovery cert to recover it.

There can also be issues sometimes of trying to encrypt the folder itslef instead of the files within it, but that gets a little deep so unless that directly applies I won't get into it.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 2

Author Comment

by:jmerulla
ID: 22715225
I did run gpupdate /force which did not help.  Still get the error message. :-(
0
 
LVL 2

Author Comment

by:jmerulla
ID: 22724057
As of right now, if I try to create a new document in a folder that was previouisly encrypted, I get "Access Denied" and I have full Admin rights.  Any suggestions?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22732349
Am I reading this correctly "was" as in it is not currently encrypted?  If that's the case then I would look at permissions on the folder and such.
If it is still encrypted, then you need to be able to do so under the correct user account for the encryption cert and using the same cert that it was encrypted under.
Could you please verify that you are using an end-user cert to encrypt with and not the recovery cert?
0
 
LVL 2

Author Comment

by:jmerulla
ID: 22733627
I am using the end user cert that was assigned to me.  I've had the same certificate since before the current one expired.  I used that certificate to create an encrypted folder and everything that I put in that folder encrypted without issue - until the certificate expired.

I followed Microsoft's instructions to create a new one, and everything went just like the instructions said.  That is until I tried to use it to create a new encrypted folder and got the error message about the system containing an invalid recovery certificate.

When I tried saving a new document in my previously encrypted folder, I get an "Access Denied" message.

I think the folder is still encypted since the folder name appears in green as any foler/file that has been encrypted.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22735014
Are you using an EFS cert issued from your CA or locally generated on the box?
Do you have both the old and new EFS certs installed, or did you remove the old one?  You should have both so that you can still access the old infomation, hopefully you have that backed up first with private key if you had removed it..
0
 
LVL 80

Expert Comment

by:arnold
ID: 22735058
Usually an assigned EFS certificate is auto-renewed/regenerated by the system.  The process you went through is to generate a Recovery Certificate.  
Paranormastic, in an earlier post said that you should use the recovery certificate to recover your user EFS certificate.

Try the following: get into the encrypted folder.  Right click on any of the encrypted files and get the properties.  Then go through the advanced button and look at the details on the Compression and encryption section.  You might be able to add a certificate there, but I think you have to repeat this process one file at a time.
0
 
LVL 2

Author Comment

by:jmerulla
ID: 22877402
I got it resolved with MS tech support.  The part that was missing from their KB is that after the certificate has been created under Encrypting File System, it also has to be added to Trusted Root Certification Authorities and then run gpuodate /force to replicate to the other DCS.

1. Please first remove all the old recovery agent certificates. To do this,

(1). On your domain controller, click "Doman Security Policy" from "Administrative Tools".
(2). In the left pane, expand to: Public Key Polices\Encrypting File System
(3). In the right pane, make sure to delete all the items.
(4). Close "Domain Security Policy" and allow enough time for this change to be propagated to other domain controllers.

2. Request a new certificate for recovery agent.

(1). Log on to a domain controller with Administrator account.
(2). Click Start, click Run, type cmd , and then click OK.  
(3). At the command prompt, type cipher /r: file_name , and then press ENTER.

Note: file_name represents the file name that you want to use. Use a file name that is meaningful to you. Do not add an extension to the file name. Make sure that the new .cer and .pfx files are created in the same folder.  

3. Add the new certificate to the policy.
(1). On your domain controller, click "Doman Security Policy" from "Administrative Tools".
(2). In the left pane, expand to: Public Key Polices\Encrypting File System
(3). Right-click the "Encrypting File System", click "Add Data Recovery Agent"
(4). Follow the wizard to add the .cer file you created in step 2 above.
(5). Expand to another branch: Public Key Polices\Trusted Root Certification Authorities
(6). Right-click the "Trusted Root Certification Authorities", click Import. Follow the wizard to import the .cer file in step 2.

4. Quit the policy editor and allow enough time for these changes to be replicated to other DCs.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question