Basic EFS certificate Expiry
My company has a AD2003 domain and having a root CA installed (not enterprise CA). Some users are using EFS in out environment. The EFS Recovery Agent certificate will be expired in Jun 2015. However, some users' "Basic EFS" certificates will be expired
very soon in June 2011.
Since the Recovery Agent cert is still valid unit 2015, I just want to know, what is going to happen after the Basic EFS cert expiry in Jun 2011.
Can the Basic EFS certificate be renewed automatically after the expiry? Or, would the system regenerate a new set of Basic EFS cert to user after the expiry of existing EFS cert? Or, the users cannot perform encryption anymore after expiry?
Really thanks for your help!
May 25th, 2011 6:44am
default Basic EFS template is version 1 template and doesn't support autoenrollment. This means that a certificate will not renewed automatically. The users are have to go through regular certificate enrollment process. Depending on your group policy settings
the system may generate a self-signed (not issued by your CA) EFS certificate.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2011 8:14am
My company has a AD2003 domain and having a root CA installed (not enterprise CA). Some users are using EFS in out environment. The EFS Recovery Agent certificate will be expired in Jun 2015. However, some users' "Basic EFS" certificates will be expired
very soon in June.
I just want to know whether the Basic EFS certificate can be renewed automatically upon the expiry? Or, would the system regenerate a new set of Basic EFS cert to user after the expiry of existing EFS cert? Or, the users cannot perform encryption anymore
after expiry?
Really thanks for your help!
May 25th, 2011 12:49pm
Hello,
please see:
http://msmvps.com/blogs/alunj/archive/2007/03/24/efs-in-a-domain-expires-after-three-years.aspx
http://support.microsoft.com/kb/929103Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2011 12:57pm
Hello,
please see:
http://msmvps.com/blogs/alunj/archive/2007/03/24/efs-in-a-domain-expires-after-three-years.aspx
http://support.microsoft.com/kb/929103
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Thanks for your prompt reply.
However, in our case, the Recovery Agent cert is still valid unit 2015. But the users' Basic EFS certificate will be expired in next month (Jun 2011). I just want to know, what is going to happen after the Basic EFS cert expiry.
For the expiry of DRA in Jun 2015, we will handle it separately in next year.
May 25th, 2011 1:09pm
It will be better to ask in Security forums:
http://social.technet.microsoft.com/Forums/en-US/ocssecurity/threads
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
Your question is not related to Directory Services so it will be better to ask there.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2011 1:27pm
My understanding is that the system would issue a replacement self-signed Basic certificate...
hth
Marcin
May 25th, 2011 4:17pm