Expired Recovery Agent EFS Cert

[Jeffrey]

I am on a Windows 2000 domain where the Administrator account is set as
the Recovery Agent at the domain level policy. The certificate recently
expired for that account and some XP machines can no longer encrypt
files or folders. When doing so they receive this error:

"Recovery policy configured for this system contains invalid recovery
certificate."

I have done some looking, but I am still a little foggy on what steps I
need to do to replace that certificate with a current one. It looks
like I can run cipher /r to generate a recovery cert on an XP machine,
import it into the Administrator's account using the Certificates MMC
and then re-add Administrator to the policy as a recovery agent. After
that it appears I can run cipher /u to update on the client machine to
update it with the new info. Is that correct? Any steps or details I
am leaving out?

Thanks!
Jeffrey

 

[Steven L Umbach]

Once you add the new certificate to the Group Policy where the EFS RA is
specified then the users on the computers should be able to use EFS again
one their Group Policy refreshes to show a valid certificate. You can run
gpupdate on the XP pro computers to speed up the propagation of Group Policy
otherwise it should take approximately 90 minutes for computers already
online. You can run rsop.msc on an XP Pro computer to see if the change has
propagated. Be sure to export a copy of the new RA certificate AND private
key to a password protected .pfx file on external media for safe
eping. --- Steve

 

[Roger Abell [MVP]]

and after doing this hope that you do not need to recover
a file that has not been touched since the change

I believe that what happened here is not supposed to occur.

 

[Steven L Umbach]

XP Pro of course may not need an RA to use EFS but if one is specified in GP
then maybe it will not work if the RA is invalid much like W2K works? If
that is the case then I would think the old RA should still be able to
recover files encrypted prior to it's expiration until files are also
updated with the new RA. --- Steve

 

[Roger Abell [MVP]]

Hmmm . . . interesting idea, as I now hear you, describing
the defining of a new DRA, not just a new cert of the one
original DRA. I would like to hear David Cross' take on
scenarios whereby the RA cert is able to expire/not renew.

 

[Jeffrey]

XP Pro of course may not need an RA to use EFS but if one is specified in GP
then maybe it will not work if the RA is invalid much like W2K works? If
that is the case then I would think the old RA should still be able to
recover files encrypted prior to it's expiration until files are also
updated with the new RA. --- Steve

This appears to be the case from what I saw. The RA was defined in
Group Policy and did have an expired cert in the Group Policy. So
whenever an XP client would try to encyrpt a folder they would receive
an error regarding the invalid certificate. Using rsop.msc did show the
applied policy on the XP machine in question had an expired cert.

I was able to export the expired key pair and save it to CD for future
use, from the reading I did while I worked on this issue, I should still
be able to decrypt files that were created while it was valid. I think.

What I did was generate a new key pair using cipher /r and then added it
to my group policy as my recovery agent. I had to remove the expired
cert to get things working again, but once I did the XP machines in
question could encrypt folders and files again. Both the expired key
pair and current key pair have been exported and saved to CDs and placed
in secure, safe locations.

Where I am at only three of us even use EFS on our machines, but from
the reading it looks like one only needs to run cipher /u on their
machine to update the keys to the new recovery agent, solving any
problems of the old one having expired.

I welcome any additional comments or thoughts as to how or why the
initial one expired or if it even should have. I hadn't dived into the
hows and whys of EFS until this issue so I can only speak to what seemed
to fix my situation.

Thanks for input!

Jeffrey

 

[Steven L Umbach]

I may be wrong but I believe cipher /u may be user specific. What you can do
is use the utility efsinfo to see who is the RA for your EFS files and if
the name of the RA did not change you can check the thumbprint info of the
RA certificate to see exactly what certificate it is referring to. All
certificates have a finite lifetime and you can see in the "valid from"
property of the main page of the certificate by clicking the .cer file or
using the mmc snapin for user/computer certificates to view the certificate.
Keeping all RAs [even expired ones] in a safe place is the smart thing to
do. The link below is on EFS best practices though you are already doing the
most important part. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;223316&sd=tech ---
EFS best practices
http://support.microsoft.com/default.aspx?scid=kb;en-us;243026&sd=tech ---
how to use efsinfo