EFS - Renew Certificates

[Al Ardito]

Hello,
Im having problems with EFS not allowing me to encrypt new file or
folders because the Administrator certificate is expired. Does anyone know
how to renew this certificate? It looks to have been set in the default
domain policy (computer\windows\security settings\Public key policies\EFS)
when we went to our domain a few years ago. Im not sure if this is the
right place to post, but I've been pulling my hair out trying to figure out
how to renew this certificate. Any help would be appreciated.


Thanks

Al

 

[Guest]

The original EFS File Recovery certificate is a self-signed certificate and
cannot be renewed. You will have to replace that certificate.
1. Back up the original File Recovery certificate w/private key to a .pfx
file. You'll need this file to recover encrypted files that may not get
updated to the new File Recovery certificate. Do the backup in
MMC\Certificates snap-in on the DC that has the original certificate. (Log on
as Administrator to see this.) Be sure the certificate you back up matches
the certificate that's in policy.
2. Run "cipher /r" to create a new File Recovery certificate (.Cer is the
public certificate and .pfx is the certificate w/the private key which should
be secured in a safe location. The .pfx is what you use to recover files.)
3. Delete the expired certificate from EFS policy.
4. Add the new certificate (.cer file) to EFS policy.
Once policy refreshes, EFS will work again.

More information is here:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Thanks.
Pat