MJ

Distinguished
Apr 6, 2004
61
0
18,630
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Is there any way to enforce the usage of Active Directory published EFS
Certificate instead of creating a new one every time I change a PC ?

Here is why:

The first time I use EFS on a PC, it locally generates an EFS Certificate
(i.e. self-signed). I can publish this Certificate in Active Directory so
that other users can enable me to read their encrypted documents - All is
fine.

However, if i change the PC (or work from some other location), the first
time I try to encrypt the file another/new/different local (self-signed) EFS
Certificate will be created for me.
Now, I thought that PCs (i.e. Windows XP) are smart enough to check the
Active Directory whether there is already a published Certificate and use the
same one instead of creating a new one (local, self-signed).
Or perhaps I should have asked: since there can be only one private key for
each public key (i.e. certificate), is it possible to store (and use as
needed) the private key in Active Directory along with the corresponding
Certificate ?
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

EFS needs your private key available locally to work. Hence migrating certs
alone is not enough. The private keys are protected by DPAPI on the local
machine. Certs are public infomation and hence published to AD. Private keys
usually are not.

If you want to use the same cert+key for EFS across multiple machines, you
need to make sure that the private key along with the certificate is
available on each machine. Some ways to achieve this:
1) Turn on roaming profiles and your cert and key will automatically roam to
all machines. This however has performance implications.
2) If the number of machines involved is small. You can export your EFS
cert+key from previous machine to a PFX and import it on the new machine
before attempting EFS.
3) If the machines are part of a domain and there is a file server with
Trusted For Delegation privileges available in the domain, you can do remote
EFS by storing your documents on this server. The keys in this case are
maintained on the server so you can easily access your documents from
various clients.

--
Shreeniwas Kelkar [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.


"MJ" <MJ@discussions.microsoft.com> wrote in message
news:CBF57444-CD80-4565-B34A-66A40F3912F0@microsoft.com...
> Is there any way to enforce the usage of Active Directory published EFS
> Certificate instead of creating a new one every time I change a PC ?
>
> Here is why:
>
> The first time I use EFS on a PC, it locally generates an EFS Certificate
> (i.e. self-signed). I can publish this Certificate in Active Directory so
> that other users can enable me to read their encrypted documents - All is
> fine.
>
> However, if i change the PC (or work from some other location), the first
> time I try to encrypt the file another/new/different local (self-signed)
> EFS
> Certificate will be created for me.
> Now, I thought that PCs (i.e. Windows XP) are smart enough to check the
> Active Directory whether there is already a published Certificate and use
> the
> same one instead of creating a new one (local, self-signed).
> Or perhaps I should have asked: since there can be only one private key
> for
> each public key (i.e. certificate), is it possible to store (and use as
> needed) the private key in Active Directory along with the corresponding
> Certificate ?
 

TRENDING THREADS