User vs. Basic EFS certificate

  • Thread starter Thread starter Jeff Durham
  • Start date Start date
J

Jeff Durham

Why are the private keys for a "user" certificate not exportable? I have a
win2k domain setup with a certificate authority. I have a "user"
certificate to do things like VPN and wireless WPA EAP-TLS authentication.
This certificate can also be used to encrypt files. However, that seems
very dangerous. The reason being this certificate cannot be exported with
its private key making it useless when importing on a new system to decrypt
files encrypted by that certificate.

To get around this, I first requested (or one is requested automatically
when encrypting a file and a certificate does not exist) a Basic EFS
certificate. When having that first, files get encrypted with that
certificate regardless if I request a subsequent User certificate which also
supports file encryption.

It seems that there is no way to configure a User certificate to have its
private key exportable. I prefer to rely upon my own certificate backup
rather than an EFS recovery agent.

Any thoughts on this?

Jeff
 
Unfortunately, I am using Windows 2000 for the time being. Any suggestions
for that environment?

Jeff

David Cross said:
you can configure this via a Windows Server 2003 CA and v2 templates:

Cert templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/ws03crtm.asp



--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Jeff Durham said:
Why are the private keys for a "user" certificate not exportable? I
Click to expand...
have
a
win2k domain setup with a certificate authority. I have a "user"
certificate to do things like VPN and wireless WPA EAP-TLS authentication.
This certificate can also be used to encrypt files. However, that seems
very dangerous. The reason being this certificate cannot be exported with
its private key making it useless when importing on a new system to decrypt
files encrypted by that certificate.

To get around this, I first requested (or one is requested automatically
when encrypting a file and a certificate does not exist) a Basic EFS
certificate. When having that first, files get encrypted with that
certificate regardless if I request a subsequent User certificate which also
supports file encryption.

It seems that there is no way to configure a User certificate to have its
private key exportable. I prefer to rely upon my own certificate backup
rather than an EFS recovery agent.

Any thoughts on this?

Jeff
Click to expand...
Click to expand...
 
the user can select this through the web enrollment pages

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Jeff Durham said:
Unfortunately, I am using Windows 2000 for the time being. Any suggestions
for that environment?

Jeff

David Cross said:
you can configure this via a Windows Server 2003 CA and v2 templates:

Cert templates -
Click to expand...
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/ws03crtm.asp
--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Jeff Durham said:
Why are the private keys for a "user" certificate not exportable? I
Click to expand...
have
a
win2k domain setup with a certificate authority. I have a "user"
certificate to do things like VPN and wireless WPA EAP-TLS authentication.
This certificate can also be used to encrypt files. However, that seems
very dangerous. The reason being this certificate cannot be exported with
its private key making it useless when importing on a new system to decrypt
files encrypted by that certificate.

To get around this, I first requested (or one is requested automatically
when encrypting a file and a certificate does not exist) a Basic EFS
certificate. When having that first, files get encrypted with that
certificate regardless if I request a subsequent User certificate
Click to expand...
which
also
supports file encryption.

It seems that there is no way to configure a User certificate to have its
private key exportable. I prefer to rely upon my own certificate backup
rather than an EFS recovery agent.

Any thoughts on this?

Jeff
Click to expand...
Click to expand...
Click to expand...
 
Back
Top