EFS - Unable to encrypt a file in Windows 7 (invalid recovery certificate)
     Hello, Anyone been able to resolve the invalid recovery certificate error experienced when trying to encrypt a file in Win 7, due to an expired administrator certificate? I'm facing a similar problem and have been unable to resolve this despite several attempts to create a new certificate for the administrator account. The workstation is joined to a domain and the certificate for the domain user is OK. The expired certificate is only visible via rsop.msc and doesn't show (and hence I can't delete it) via gpedit.msc. How do you fix this? Thanks, Paul.  
May 24th, 2012 11:35am

Hi, May I know what encrypt program are you using? What does that expired administrator certificate mean? Who issues the certificate? Please provide more detail on your issue.Ivan-Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2012 11:48pm

Hi Ivan, I'm using native Windows 7 encryption. The certificate issued to administrator (self-issued during install) that enables one to encrypt files with EFS is what has expired.
May 28th, 2012 6:36am

Hi, "The first time you encrypt a folder or file, you should back up your encryption certificate. If your certificate and key are lost or damaged and you do not have a backup, you won't be able to use the files that you have encrypted." Do you have the encryption key? Here are two guides can be referred to. Encrypt or decrypt a folder or file http://windows.microsoft.com/en-us/windows-vista/Encrypt-or-decrypt-a-folder-or-file What is Encrypting File System (EFS)? http://windows.microsoft.com/en-US/windows7/What-is-Encrypting-File-System-EFSIvan-Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2012 1:50am

Hi Ivan, yes I have the encryption key - those guides are not quite helpful as they do not address the problem I'm facing - an expired certificate. I'm now thinking it's something to do with the domain controller because I've tried to encrypt on a few other PCs on this domain and face the same problem; the cert displayed by rsop.msc expired at the same time for all the PCs I checked.
June 1st, 2012 2:41am

Hi, This article is helpful. You need to check the Active Directory. There is a paragraph to introduce the relationship between EFS and certificates. Encrypting File System (EFS) http://www.tech-faq.com/encrypting-file-system-efs.htmlIvan-Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2012 3:53am

Hi, EFS Recovery Agent Certificate expired http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/0889c49a-a268-4bc3-bf07-a10fd7d3bb47 You can deploy Certificate Services to issue and manage certificates for EFS users. Certificates that are issued by enterprise CAs are based on certificate templates Certificate templates are stored in Active Directory, and define the attributes of certificate types to be issued to users and computers. I suggest you redirect to Windows Server forum for assistance. To recovery the EFS certificate on domain controller. Hope that helps. Ivan-Liu TechNet Community Support
June 1st, 2012 5:27am

Hi Ivan, thanks for the article - I've read it but do not see any way to resolve my problem. If you have any idea how to do so, please share.
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2012 9:39am

Hi, EFS Recovery Agent Certificate expired http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/0889c49a-a268-4bc3-bf07-a10fd7d3bb47 You can deploy Certificate Services to issue and manage certificates for EFS users. Certificates that are issued by enterprise CAs are based on certificate templates Certificate templates are stored in Active Directory, and define the attributes of certificate types to be issued to users and computers. I suggest you redirect to Windows Server forum for assistance. To recovery the EFS certificate on domain controller. Hope that helps. Ivan-Liu TechNet Community Support
June 2nd, 2012 5:16am

Hi Liu, thanks the problem was with the certificate on the domain controller CA. This is what had expired, and once our domain admin created a new data recovery cert, I'm now able to encrypt.
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 10:39am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics