Enrolling a new certificate for Windows XP EFS

Posted on 2009-12-31
Last Modified: 2012-05-08
How do I enrol a new EFS file encrytion certificate in Windows XP, so that all new files are encrypted using this certificate?
Question by:foxcombe

    Author Comment

    This question applies to a machine which already has a Certificate loaded.  The purpose is to make another key the default key for encrypting, as opposed to the keys in the mmc snap-in which are used for decrypting when the default key does not apply.
    LVL 31

    Accepted Solution

    This should normally happen automatically 6 weeks before the existing EFS certificate expires.  If you created a custom EFS template, then the renewal will happen at 'renewal period' amount of time before certificate expiration as defined by 'validity period'.

    If you are not using CA issued EFS certificates, then have the user run "cipher /K" which will generate a new local EFS certificate.

    The new certificate should be put into use automatically.  If for some reason it does not, please post back and we can troubleshoot this, but this is rare enough that I'm not going to get into it for right now.

    You can update all files that the user has encrypted with their previous certificate by running "cipher /U" on each box.  If multiple users share the same box, this may need to be run under each user's logon.

    The old certificate should be kept around to decrypt the old files, or at least until the cipher /u has been run.  There is normally not a need to remove it from the system unless it really bothers you that it is there.

    This assumes that you are not talking about the EFS DRA account, this would normally be handled via GPO to replace the existing DRA certificate in the domain GPO settings.
    LVL 31

    Expert Comment

    If you need to renew the certificate beforehand, the easiest way is in the Certificates MMC (user) - Personal - Certificates - right click cert - renew using new key.  After issuance, reboot and run the cipher /u command.

    I haven't really found a good way to script this yet to be specific to one type of certificate.  There are a couple ways of doing it, but they are all really dirty.

    Author Closing Comment

    Thanks Paranorma, it not exactly what I sought, but it is a good solution.  You may have guessed I have a "dirty" system with multiple encryption keyed files, and I want to just have one key for all files to save me distributing multiple keys. You method is fine, it introduces one more key and then converts all files by touching them with the /u option.  I can live with that.  Thanks for your time, Happy New Year from the UK.
    LVL 31

    Expert Comment

    After all the files have been updated, you could clean out the rest of the EFS certs - I would recommend exporting them including the private key to a .pfx file first, just in case, but that is possible to remove them from Certificates MMC (certmgr.msc) or if you have the serial number or thumbprints 'certutil -user -delstore My %serial number or thumbprint%"

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    #SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now