Solved

EFS certificates after removing CA from Active Directory

Posted on 2010-11-19
5
1,338 Views
Last Modified: 2012-05-10
we have about half dozen EFS certificates issued to users.
We would like to decomission the existing CA (and leave the server in place http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26626321.html ).

We don't mind changing the name of the root CA, we just are concerned of loosing the ability to reover any files encrypted by people on leave... if we uninstall the 2003 CA from the server and install a new CA root on 2008 R2.

SOme of the certificates expire in 1 year... We might not be able to locate all the encrypted files at this point in time

Will backing up the private key be enough to access encrypted files even after the CA is removed ? How does one go about recovering those files in that case ?

Can you provide a brief procedure to follow if we are happy to get rid of the old CA?  is it a matter of:
1)backup existing CA key
2)uninstall CA from 2003
3) install new CA on 2008 R2

THanks for you help.
0
Comment
Question by:rov17
  • 2
  • 2
5 Comments
 
LVL 10

Expert Comment

by:moon_blue69
Comment Utility
Hi

See if this article helps

Cheers
0
 
LVL 5

Author Comment

by:rov17
Comment Utility

Hi moon_blue69,

which article ?

 
0
 
LVL 10

Expert Comment

by:moon_blue69
Comment Utility
0
 
LVL 5

Author Comment

by:rov17
Comment Utility
thanks moon_blue69  but it doesn't. Have come accross it but it does not address the questions that I posted and i can not remove the existing server.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
Comment Utility
For recovering EFS encrypted files, you should be using an EFS Data Recovery Agent (DRA) certificate - preferably issued to a dedicated tightly controlled admin account.  You can issue the DRA cert either from the CA (new or old) or from command line 'cipher /r NAME' which will create a .cer and .pfx file - the .pfx has the private key so keep that on a locked up flash drive.  The .cer you should deploy via GPO and then all domain members will automatically pick it up.  Note that if users don't touch the files already encrypted then it doesn't matter, so it is a good idea to run 'cipher /u' as a logon script for users that have EFS certs - this will update those files to include the DRA cert.

The process should be similar to:
http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx
(only creating instead of replacing)

Also, after the new CA is up and running and set up for EFS you can force re-enrollment from certtmpl.msc - locate template - right click - reenroll all certificate holders. I forget offhand if it happens automatically or if it requires logoff/logon, or reboot - may need to wait for up to 15 mins for AD replication as well.  If you have a lot of EFS users try a smaller test group first to work out any potential kinks.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now