Efs and new pki

What is the best process to migrate certificates issued for basic efs when implementing a new pki in parallel to existing.  Just want to ensure files encrypted by efs will be accessible to users after decomming the existing ca
LVL 3
h1r0Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
'decomming'? do you mean 'decommissioning'?

if yes, is here something you are after?

Replacing an Expired DRA Certificate
http://blogs.technet.com/b/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx
h1r0Author Commented:
Close ,  but I'm kind of looking for a process for migrating from one ca to another while preserving efs
btanExec ConsultantCommented:
There is critical KRA and DRA private keys for EFS implementation.
With Key recovery. The user’s original certificate and private key are recovered from the CA database and restored to the user’s profile. Recovery of the user’s certificate and private key allows the user to access the FEK stored in the EFS-encrypted file, returning access to the file to the user.

Data recovery on the other hand, allows a designated EFS Recovery Agent to decrypt all EFS-encrypted files on a computer. By default, where the private key associated with the EFS Recovery Agent certificate exists – which can be a designated recovery computer, or the end user’s computer.
http://blogs.technet.com/b/pki/archive/2011/10/28/key-recovery-vs-data-recvoery-differences.aspx

Those private keys on creation during the EFS provisioning should be exported out of the CA and should never be permanently stored at the CA server or DC. Only the public KRA certificates are configured at CAs.  Hence if those private keys is not exported out from the CA servers, you should do that now before decommissioning those servers (or those which store that private keys). Just make sure you have a copy of the private keys before throwing out the servers including CA. And backup CA just to play safe in case really need it.

Also do not revoke any EFS certs unless they were compromised.  Expired certs can still decrypt, they just cannot encrypt. For migrating EFS certs - if these were done via autoenrollment then delete the template from OldCA and issue to NewCA, then have the user log in and run cmd "certutil -pulse". Alternatively, you can run 'gpupdate /force' and reboot if they do not have certutil tool available.  Once you sighted under issued certs on the NewCA then you can proceed to follow up with 'cipher /u'  to update each machine using those EFS files to use the new cert. Note that this needs to be done on each machine user has login into and there is no need for them to decrypt. It is just to make sure the EFS cert is correctly mapped to existing EFS files.

We should be able to find all EFS encrypted files by running set up a script 'cipher /u /n > c:\temp\efs.log' to find all encrypted files. Look out for "E" for the encrypted and those starting in line with "U" are for unencrypted files. https://technet.microsoft.com/en-us/library/cc771346.aspx

As a whole, EFS certificates will continue to read any encrypted files as long as the user has the cert even if the certificates are revoked and the CA is decommissioned. So that is important to make sure we have the keys

This past EE is useful http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_24426343.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.