Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1423
  • Last Modified:

EFS certificates after removing CA from Active Directory

we have about half dozen EFS certificates issued to users.
We would like to decomission the existing CA (and leave the server in place http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26626321.html ).

We don't mind changing the name of the root CA, we just are concerned of loosing the ability to reover any files encrypted by people on leave... if we uninstall the 2003 CA from the server and install a new CA root on 2008 R2.

SOme of the certificates expire in 1 year... We might not be able to locate all the encrypted files at this point in time

Will backing up the private key be enough to access encrypted files even after the CA is removed ? How does one go about recovering those files in that case ?

Can you provide a brief procedure to follow if we are happy to get rid of the old CA?  is it a matter of:
1)backup existing CA key
2)uninstall CA from 2003
3) install new CA on 2008 R2

THanks for you help.
0
rov17
Asked:
rov17
  • 2
  • 2
1 Solution
 
moon_blue69Commented:
Hi

See if this article helps

Cheers
0
 
rov17Author Commented:

Hi moon_blue69,

which article ?

 
0
 
moon_blue69Commented:
0
 
rov17Author Commented:
thanks moon_blue69  but it doesn't. Have come accross it but it does not address the questions that I posted and i can not remove the existing server.
0
 
ParanormasticCryptographic EngineerCommented:
For recovering EFS encrypted files, you should be using an EFS Data Recovery Agent (DRA) certificate - preferably issued to a dedicated tightly controlled admin account.  You can issue the DRA cert either from the CA (new or old) or from command line 'cipher /r NAME' which will create a .cer and .pfx file - the .pfx has the private key so keep that on a locked up flash drive.  The .cer you should deploy via GPO and then all domain members will automatically pick it up.  Note that if users don't touch the files already encrypted then it doesn't matter, so it is a good idea to run 'cipher /u' as a logon script for users that have EFS certs - this will update those files to include the DRA cert.

The process should be similar to:
http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx
(only creating instead of replacing)

Also, after the new CA is up and running and set up for EFS you can force re-enrollment from certtmpl.msc - locate template - right click - reenroll all certificate holders. I forget offhand if it happens automatically or if it requires logoff/logon, or reboot - may need to wait for up to 15 mins for AD replication as well.  If you have a lot of EFS users try a smaller test group first to work out any potential kinks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now