We have allowed EFS on our File Server.

We are using AD and PKI Certs.

The first certs that were created, was a basic efs.

The CA Admin, made a template for all users, that would do EFS, Email and Identity.

Then revoked all the basic EFS certs.

We Published the CLR

Restarted the Certificate Services.

All users are still using the revoked certs, when utilitzing EFS.

I have tried the following:

certutil -setreg chain\ChainCacheResyncFiletime @now

and every command in this link

 http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx

nothing is removing the old cert from being used.  

Can someone give insight?  I need to get this working ASAP.

Thanks

• Edited by TheComputerChick 12 hours 48 minutes ago

Hello,

Please add the certificate of the user in the main file Property which you can check by file-> right click-> General tab-> advanced-> details.

Remove the old certificate from there and add the new certificate. For this new certificate user's private key of certificate would be required on that machine. So, for that user should have encrypted at least one file on the sever. Snip is as follows:

Regards

Mitul

The snip is from a file that is just encrypted.  Every time I encrypt, it uses the original basic EFS certificate that is now revoked.  I can tell this by the Certificate Thumbnail.  How do I get windows to use the vaild certificate for my EFS.

I should mention that the basic EFS cert is not even showing up on my pc certmgr.msc

I tried to add snips, but giving me fits.

I also should mention that I am unable to add user, because it will not do a look up in active directory.  It gives an error

An Object (user) with the following name cannot be found:.....

Hello,

Have you configured EFS domain wide? If yes check if this GPO setting is it applied or not.

On Tue, 1 Sep 2015 21:53:25 +0000, TheComputerChick wrote:

I also should mention that I am unable to add user, because it will not do a look up in active directory.  It gives an error

An Object (user) with the following name cannot be found:.....

EFS only does revocation checking in two instances:

1. If the EFS template is configured to archive the private key, the
revocation status of the Key Recovery Agent certificate is checked when
requesting an EFS certificate.
2. When trying to share an EFS encrypted file with another user, the
revocation status of the other user's EFS certificate is checked.

So, revoking an EFS certificate is not going to accomplish what you want it
to. A revoked EFS certificate can still be used for encrypting and
decrypting files.

The fact that the basic EFS certificates have been revoked may well be the
cause for the above error.

What you really need to do is to add the original basic EFS certificate
template as a superseded template to the new certificate tem