How to generate certificate for docrecrypt

Hi Experts - I need to implement the docrecrypt functionality on a couple server 2008 and 2012 RDS servers so that if my users forget their encryption passwords in the future I can unencrypt them.  All users are on thin clients logging into these RDS servers.  I understand all the directions except I'm unsure of how/where to generate the certificate.  Does anyone have experience with this that can give me some pointers on the certificate side of this equation?  Thanks!
adublaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
This TechNet link on DocRencrypt on the need to build the escrow, but note that the  tool cannot be used to recover files that were password-protected before you deployed the certificate and escrow key. https://technet.microsoft.com/en-us/library/jj923033(v=office.15).aspx

As for the Certificate creation, it is best you helmed the proper PKI first to identify the internal CA setup with your team before it can start generating those certificate required. There may be 3rd party CA but rather for wide user rollout, better to control with Enterprise. The challenge is to manage the PKI and those keys. The link above is more of assuming the certificate is available and then push out to the client as escrow and recovery purpose. Protect the private key and not centralized user private key, just let it be with the user machine that is lockdown to safeguard it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
adublaAuthor Commented:
Thank you btan.  What do you think is the best way to generate the certificate on a server 2008 r2 machine for use with this purpose?
btanExec ConsultantCommented:
3rd party otherwise self sign which I preferred former. Of course if you already has internal CA, then leverage on that as autoenrollment and regular update by IT folks will be transparent. That is the normal cert provisioning but not much different if you have GPO to push other type of cert down to client. So if we want to avoid hassle for internal PKI setup and manage it, then 3rd party cert can be explored and still use GPO to reach out to all the client machine, connect and push out for use....

It seems straightforward but important of all is safeguard all the private keys esp those for the escrow purpose - having a internal PKI to store and guard the private keys is better compared to other means. So internal CA is better. Get the IT team involved and hear them out and make this as part of the enterprise SOP.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.