Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Enrolling a new certificate for Windows XP EFS

Posted on 2009-12-31
Medium Priority
Last Modified: 2012-05-08
How do I enrol a new EFS file encrytion certificate in Windows XP, so that all new files are encrypted using this certificate?
Question by:foxcombe
  • 3
  • 2

Author Comment

ID: 26155806
This question applies to a machine which already has a Certificate loaded.  The purpose is to make another key the default key for encrypting, as opposed to the keys in the mmc snap-in which are used for decrypting when the default key does not apply.
LVL 31

Accepted Solution

Paranormastic earned 400 total points
ID: 26155912
This should normally happen automatically 6 weeks before the existing EFS certificate expires.  If you created a custom EFS template, then the renewal will happen at 'renewal period' amount of time before certificate expiration as defined by 'validity period'.

If you are not using CA issued EFS certificates, then have the user run "cipher /K" which will generate a new local EFS certificate.

The new certificate should be put into use automatically.  If for some reason it does not, please post back and we can troubleshoot this, but this is rare enough that I'm not going to get into it for right now.

You can update all files that the user has encrypted with their previous certificate by running "cipher /U" on each box.  If multiple users share the same box, this may need to be run under each user's logon.

The old certificate should be kept around to decrypt the old files, or at least until the cipher /u has been run.  There is normally not a need to remove it from the system unless it really bothers you that it is there.

This assumes that you are not talking about the EFS DRA account, this would normally be handled via GPO to replace the existing DRA certificate in the domain GPO settings.
LVL 31

Expert Comment

ID: 26155986
If you need to renew the certificate beforehand, the easiest way is in the Certificates MMC (user) - Personal - Certificates - right click cert - renew using new key.  After issuance, reboot and run the cipher /u command.

I haven't really found a good way to script this yet to be specific to one type of certificate.  There are a couple ways of doing it, but they are all really dirty.

Author Closing Comment

ID: 31671667
Thanks Paranorma, it not exactly what I sought, but it is a good solution.  You may have guessed I have a "dirty" system with multiple encryption keyed files, and I want to just have one key for all files to save me distributing multiple keys. You method is fine, it introduces one more key and then converts all files by touching them with the /u option.  I can live with that.  Thanks for your time, Happy New Year from the UK.
LVL 31

Expert Comment

ID: 26172944
After all the files have been updated, you could clean out the rest of the EFS certs - I would recommend exporting them including the private key to a .pfx file first, just in case, but that is possible to remove them from Certificates MMC (certmgr.msc) or if you have the serial number or thumbprints 'certutil -user -delstore My %serial number or thumbprint%"

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question