If I edit GPO

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

and select to Add & chose the same Domain Administrator (which had previously the very same EFS File recovery certificate issued via MMC)

I get error No certificate available (which is not tru, as the certificate does exist!)

[IMG]http://i61.tinypic.com/2a0ds34.png[/IMG]

But if I select to Create Data Recovery Agent, currently logged in user gets added (Domain Administrator in my case) & certificate gets issued to Personal store (next to the one already existing)

Any ideas why?

Thanks

Seb

• Edited by scerazy Thursday, August 20, 2015 11:06 AM

Are you sure this is the proper type of certificate you are trying to import? It isn't saying no certificate exists, it is saying its not the right kind of certificate. What is the output of this command run against the certificate you are trying to import?

certutil -verify -urlfetch <yourcert.crt>

It is certificate created from the very same template.

I did not try to import .crt but .pfx (maybe that is the reason?)

By now I deleted the certificate (as the Create worked fine)

Seb

Do NOT use the pfx, that contains the private key which should be safeguarded. The private key is what allows you to decrypt the encrypted file. It should be stored and protected away. The gpo import here is just the certificate part, the .crt file. This has the public key that is needed to add the recovery agent to the encryp

Well, of course, why was I thinking?!

Pity the error does not help when one is too tired

Seb