W2K Standalone Recovery Certificate

  • Thread starter Thread starter Doug Clemons
  • Start date Start date
D

Doug Clemons

I am the administrator of a walk-up type workstation
running W2K. For various reasons, it's a standalone
machine not connected to any domain. There are numerous
users(8+) who need access to this machine and we recently
implemented EFS for all users. By default, I'm the
recovery agent, I'd like to add one and possible two
others. When I try to request new certificates for these
individuals using Users and Paswords/Advanced/New
Certificate I get an error that says something
like "windows can't find an authority to process this
request". No surprise, as I can't run CA services, but I
thought W2K would self-sign a standalone requested
certificate? Using the mmc Certificates snap-in gives me
similar results. So, I import/export/install my
certificate to the users personal certificate store and
try to add them under mmc public key/encrypted data
recovery agents. Everything seems to go fine, the wizard
tells me it worked and then I get a message that
says "certificate store already contains the selected
certificate. Delete the duplicate before adding" and it
kicks me back out to mmc...without another certficate/user
added to the EDRP. I know some tricks, deleting the
certificate, using regsvr32 to change the registry and
logging back in as the user generates a certificate. But
isn't there another, easier way????
 
Thanks, Mike. Unfortunately, step #5 "follow the
instructions in the wizard to add recovery agents" takes
me to the "certificate store already contains the selected
certificate. Delete the duplicate before adding" dead-end.
The wizard says it's successful in adding the RA, but when
you exit the wizard, you get the msg and it's not added to
the EDRP. I'm beginning to think the admin is not just the
default RA in a standalone environment, they are the ONLY
RA. You can delete the cert from the EDRP, run regsvr32,
logout, and log back in as a member of the admin group
and - poof, it generates a cert for that user...but you
have to export/delete and go through it again for the next
user. XP Pro uses cipher.exe and the f:/ switch to
generate new certs. "command not available" in W2K....any
other thoughts?
 
Back
Top