EFS certificates after removing CA from Active Directory

we have about half dozen EFS certificates issued to users.
We would like to decomission the existing CA (and leave the server in place http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26626321.html ).

We don't mind changing the name of the root CA, we just are concerned of loosing the ability to reover any files encrypted by people on leave... if we uninstall the 2003 CA from the server and install a new CA root on 2008 R2.

SOme of the certificates expire in 1 year... We might not be able to locate all the encrypted files at this point in time

Will backing up the private key be enough to access encrypted files even after the CA is removed ? How does one go about recovering those files in that case ?

Can you provide a brief procedure to follow if we are happy to get rid of the old CA?  is it a matter of:
1)backup existing CA key
2)uninstall CA from 2003
3) install new CA on 2008 R2

THanks for you help.
LVL 5
rov17Asked:
Who is Participating?
 
ParanormasticCryptographic EngineerCommented:
For recovering EFS encrypted files, you should be using an EFS Data Recovery Agent (DRA) certificate - preferably issued to a dedicated tightly controlled admin account.  You can issue the DRA cert either from the CA (new or old) or from command line 'cipher /r NAME' which will create a .cer and .pfx file - the .pfx has the private key so keep that on a locked up flash drive.  The .cer you should deploy via GPO and then all domain members will automatically pick it up.  Note that if users don't touch the files already encrypted then it doesn't matter, so it is a good idea to run 'cipher /u' as a logon script for users that have EFS certs - this will update those files to include the DRA cert.

The process should be similar to:
http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx
(only creating instead of replacing)

Also, after the new CA is up and running and set up for EFS you can force re-enrollment from certtmpl.msc - locate template - right click - reenroll all certificate holders. I forget offhand if it happens automatically or if it requires logoff/logon, or reboot - may need to wait for up to 15 mins for AD replication as well.  If you have a lot of EFS users try a smaller test group first to work out any potential kinks.
0
 
moon_blue69Commented:
Hi

See if this article helps

Cheers
0
 
rov17Author Commented:

Hi moon_blue69,

which article ?

 
0
 
moon_blue69Commented:
0
 
rov17Author Commented:
thanks moon_blue69  but it doesn't. Have come accross it but it does not address the questions that I posted and i can not remove the existing server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.