Re: EFS - how to force clients to use new certificate?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Berry,

Thanks for your reply.

As I know, if there is a CA available, the keys and certs are generated in
CryptUIWizCertRequest(), which I believe uses the provider to generate the
keys.

If CA is not available, EFS will generate a self-signed cert. The RSA keys
are generated using CryptGetUserKey(). This function points to ADVAPI32,
but it passes in the provider function table. The function in ADVAPI32 uses
the function table to generate the keys. So this is actually generated by
the provider. This would mean MS default provider generated the keys. The
default provider is implemented in rsaenh.dll.

Based on my test I did before, system will firstly use the Self-signed
certificate and after the CA Certificate is issued, it will then replace
the certificate. So, your description is correct.

However, currently, you still need to help me to confirm if you have
successfully installed the EFS CA? Do you have received any error prompt?
You may test it as following:

1. Request a new EFS certificate, is there any error message, please post a
screen shot to newsgroup.
2. Open the User Certificate store, and then check if the new EFS
certificate is installed.

Thanks for your time and I look forward to your reply.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Mark Berry" <markb@xxxxxxxxxxxxxxxx>
| References: <emj#T2FdFHA.2420@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: EFS - how to force clients to use new certificate?
| Date: Mon, 20 Jun 2005 20:07:26 -0700
Newsgroups: microsoft.public.windows.server.sbs
| |
| Follow-up:
|
| Well it looks like if you encrypt a file over the network, it uses the
| certificate for the logged-in user that is defined on the _target_
machine.
| It seems there may also be some time lag between replacing a certificate
and
| the new one taking effect.
|
| Sure wish there was a more transparent and reliable way to set which
| certificate is used by EFS. "efsinfo /y" will tell you which one it will
use
| (when encrypting files on the local machine), but I still don't see how
to
| set it explicitly!
|
| Mark Berry
|
| |

.

Relevant Pages

  • Re: Restoring Encrypted Files
    ... NT 4.0 network has no recovery policy. ... Unless you have exported your EFS ... certificate or recovery certificate + keys, ... Always export your EFS certificate + keys and save in a safe place ...
    (microsoft.public.win2000.security)
  • Re: RSA vs AES
    ... > Verisign, MS took the extra burden of issuing a critical patch to ... > those stolen root CAs. ... if any of these other keys ever got compromised ... ... BBN Certificate Services ...
    (sci.crypt)
  • Re: SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification)
    ... >notebook, all the keys I need have already been stored, that's why I can ... Especially on university networks, you'll have to ... dsniff already handles the certificate case pretty well. ... >prohibitive ($200 per SSH server is a hefty price tag). ...
    (Bugtraq)
  • Re: Is is possible to use a Certificate with RSA & 2048 key without a crypto card?
    ... Now we are told that we must get keys>= 2048. ... RSA keys>1024 without a crypto card? ... We use the certificate for tn3270. ...
    (bit.listserv.ibm-main)
  • RE: [fw-wiz] insecurity in internet connection thro cable modems
    ... > - Sign the certificate with the local root CA created there ... > to function and create keys without needing a certificate, ... > where the PIX was 2 ... >> GlobalPro makes it easier to maintain a fleet of Netscreens. ...
    (Firewall-Wizards)