Why do I have different EFS certificates on 3 domain computers, all can read encrypted files
EFS Certificates look different on several machines, all can all access encrypted files - how?
I am successfully using EFS, but just done an audit to make sure we have correct backup certificates/keys. I noticed something I don't understand and want to work out what is going on before it becomes a problem.
I have some encrypted files, encrypted for me using a certificate with thumbprint 'B9D5 ...'
When I log in to our domain controller (SBS 2003) and check my certificate store, I can see a personal EFS certificate with this same thumbprint. So far so good.
When I check on 2 other client computers (Windows 7 Ultimate/Entrprise), I see one EFS certificate in each computer, bit both with different thumbprints and expiry dates, but no certificate to match the EFS certificate I can see on the server.
I can access encrypted files with no problem on all 3 systems.
It is quite possible (likely) that I imported other certificates into the client machines at some point in the distant past, but if that's what I'm seeing in certmgr, how can I see the in-use EFS certificate?
I'd like to make sure I back up the correct certificate. It looks like the certificates I can see on the client machines are not the ones used in encrypting my files (but then how am I reading them?). More to the point, if I want to back up the
certificate, my plan would normally be to export the certificate & private key from my normal client machine, but I'm not sure this will work with the certificates I can see.
Can anyone throw any light on what is going on here?
Confused Andy
Andy
February 13th, 2012 9:08am