Managing certificates

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Managing certificates

Encrypting File System (EFS) uses public key cryptography to encrypt the contents of files. The keys that are used are obtained from the certificate of the user and any additional users and designated recovery agents configured. Because the certificates may also contain private key information, they must be managed correctly.

Certificates that are used by EFS can be obtained from a certification authority (CA) or created automatically by the computer. When obtaining an EFS certificate from a CA, the cryptographic service provider (CSP) and the appropriate object identifier (also known as an OID) must be referenced by the certificate. EFS can use either a base or enhanced CSP. If these two attributes are not set correctly in the certificate, EFS is unable to use it.

The certificate and private key of all designated recovery agents should be exported to removable disk and stored securely until needed. For more information, see Export a certificate with the private key. When exporting the certificate and private key, ensure that, in the Intended Purposes column, the selected certificate includes Encrypting File System and that you have the associated private key.

Certificates and private keys can be used on multiple computers. If your Windows XP network is configured to use roaming profiles, the certificates will be available on any computer you logon to. Otherwise, the certificates and private keys must be exported and imported manually. To manually export a certificate and private key, use the above procedure. To import this information, see Import a certificate.

Verification of certificate validity

Certificates are not expected to be valid indefinitely. Over time, an attacker can determine the corresponding private key and render the data encrypted with that key vulnerable. Because of this, certificates have a validity period that defines the length of time during which they can be considered valid. Once the validity period expires, a new certificate must be obtained to encrypt new data. However, the existing certificate and private key are normally retained so older data can still be decrypted.

Certificates can also be revoked by the issuing CA, even when they are still within their validity period. There are a number of reasons why a certificate could become untrustworthy, including compromise of the certificate subject's private key or discovery that a certificate was obtained fraudulently. When a certificate is revoked, it is placed on a certificate revocation list (CRL) maintained by the CA.

When a file is encrypted, EFS checks the validity period on the certificate of the user as well as the recovery agent. When a new user is added to an existing file, EFS checks for both the revocation of the certificate being added and the chaining of the certificate to a trusted root CA. If the certificate is found to be invalid (either because of expiration, revocation or inability to chain) the certificate is not used and the user is typically notified.