Bitlocker DRA certificate expiration
We are running Win7 Enterprise on a Win2008R2 domain. We want to start using Bitlocker and even though I have confirmed that the Bitlocker keys are getting backed up to AD DS through a GPO and that the GPO does not allow bitlocker backups to occur unless that info is in AD DS, we are still considering using a DRA as a backup. What do you guys think? Is the DRA overkill? We just thought it would be a good failsafe, but my main concern is what happens when the certificate for the DRA expires? Any thoughts you guys have on using a DRA, in addition to the normal AD DS backup, and to any issues with DRA certificates expiring, etc I would appreciate it. Thanks, Dan Dan Heim
August 10th, 2011 9:21pm

Hi Dan, An expired DRA certificate (private key) can still be used to decrypt previously encrypted files, however new or updated encrypted files cannot use the expired certificate (public key). When a business has either lost the private keys of a DRA or the certificate of a DRA has expired, the best practice to follow is to immediately generate one or more new DRA certificates and update Group Policy to reflect the new DRAs. When users encrypt new files or update existing encrypted files, the files will automatically be updated with the new DRA public keys. It might be necessary to encourage users to update all existing files to reflect the new DRAs. For more information, you can refer to the following article. http://technet.microsoft.com/en-us/library/cc875821.aspx http://blogs.technet.com/b/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx Best Regards, Niki Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2011 12:22pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics