Delivering EFS Certificates to Users

Previous page
Table of content
Next page

All EFS users must have valid certificates for use with EFS. All designated DRAs must have valid file recovery certificates. These certificates can be created and self-signed by EFS if no certification authorities (CA) are available. Users can request certificates from an enterprise CA.

How EFS Uses Certificates

When a user sets the encrypted attribute for a file or folder, EFS attempts to locate the user s certificate in the personal certificate store. If the user does not have a certificate that has been authorized for use with EFS, EFS requests a certificate from an available enterprise certification authority (CA). If an enterprise CA is not available, EFS automatically generates its own self-signed certificate for the user.

In either case, a public-private key pair for use with the certificate is generated by CryptoAPI. The public key is stored in the user s certificate, the certificate is stored in the user s personal certificate store, and the private key is securely stored in the user s profile.

Each time a user accesses an encrypted file or creates a new encrypted file, EFS needs to access the user s EFS certificate to obtain the public key and/or to access the user s private key. In all cases, the private key is used to decrypt FEKs, and the public key is used to encrypt FEKs.

If the EFS user certificate expires, EFS ensures that the certificate is renewed if possible or if not, that a new public-private key pair and a new public key certificate are issued for the user the next time an EFS operation is performed for that user.

Note 

Certificates that EFS generates are self-signed rather than signed by a CA. Therefore, the certification path is the same as for root CA certificates, which are also self-signed. EFS certificates that are self-signed are identified by WindowsXP Professional as not trusted because the certifying authority does not have a certificate in the Trusted Root Certification Authorities store. Nevertheless, self-signed EFS certificates are valid for use by EFS.

Determining Whether an EFS Certificate Exists

If you upgraded from Windows 2000 Professional, a certificate might already exist for you. If your computer is not joined to a domain, and you have encrypted a file, EFS has generated a self-signed certificate for you. You can determine whether you have an existing certificate by using the Certificates snap-in.

To view your certificates by using the Certificates snap-in

  1. Open the Certificates snap-in configured for My user account.

  2. Expand the Personal folder, and then right-click Certificates.

Figure 17-5 shows the EFS certificate for the account alice.

click to expand
Figure 17-5: Certificates snap-in and EFS certificate

If the issuer (Issued By) is the same as the subject (Issued To), the certificate is self-signed. If the certificate is issued by a certification authority, its name is listed in the Issued By column.

Obtaining an EFS Certificate in a Stand-Alone Environment

In a stand-alone environment, EFS automatically generates EFS certificates. Users obtain a certificate by encrypting a file. Each user who logs on at the computer can encrypt files, and EFS generates a unique certificate and key pair for each user. Unless a user shares the encrypted files for others to access, no user can access another user s files.

You can also request certificates by using the Advanced Certificate page Web form.

Using Enterprise Certification Authorities to Issue Certificates

Domain environments can be configured so that EFS works just as it does in a stand-alone environment, creating self-signed certificates for users. Enterprise CAs can also be configured in the domain to create certificates for users. Certificates that are issued by enterprise certification authorities (CA) are based on certificate templates. Certificate templates are stored in Active Directory and define the attributes of certificate types to be issued to users and computers. The following three version 1 certificate templates support EFS user operations by default:

Administrator and user certificates have a number of uses in addition to EFS. A basic EFS certificate can be used for EFS operations only.

Enterprise CAs use Access Control Lists (ACLs) for certificate templates in Active Directory to determine whether to approve certificate requests. If a user has the Enroll permission for a certificate template, the CA will issue a certificate of the type defined by the template to the user.

By default, members of the Domain Admins and Domain Users security groups have Enroll permission for basic EFS certificates and user certificates. By default, members of the Domain Admins and Enterprise Admins security groups have Enroll permission for administrator certificates.

Users can obtain an EFS certificate from an Enterprise CA by using one of these methods:

Using an Enterprise CA ensures that users can easily and seamlessly obtain EFS certificates. This is also the lowest-cost option for certificate deployment.

Certificates can be requested from a CA by using the Certificates snap-in.

To request a certificate from a CA

  1. Open the Certificates snap-in, expand Personal folder, right-click Certificates, and then select All Tasks and Request New Certificate. The Request New Certificate wizard starts.

  2. On the Certificate Types screen, select Basic EFS, and click Next.

  3. Enter a Friendly name and a Description, and click Next.

  4. Click Finish to close the Request New Certificate wizard.

Open the Certificates folder to see the new certificate. In Figure 17-6, the administrator has a self-signed recovery certificate that EFS generated for the default EFS recovery policy. You can tell that the File Recovery certificate is self-signed because Issued To is the same as Issued By. Below it is the EFS certificate that was just requested. The EFS certificate was issued by a certification authority named CA1.

click to expand
Figure 17-6: Certificates snap-in

Renewing Certificates and Keys

EFS automatically renews certificates if possible. Self-signed certificates are valid for 100 years, so renewal is not an issue if you use these certificates. Certificates issued by certification authorities are typically valid for only a few years. You can view a certificate s expiration date in the Certificates snap-in. If EFS is unable to automatically renew an expired certificate, you are unable to encrypt more files by using the existing certificate. You can still decrypt files, however, because EFS stores existing private keys. If EFS cannot renew the certificate, it requests a new certificate from a trusted enterprise CA if one is known and available. Otherwise, EFS creates a new self-signed certificate.

If for any reason you want to generate a new self-signed certificate for a user, you can use the cipher command.

To generate a new certificate by using the cipher command

The output is the identifier that links the new private and public keys. You can view this identifier in the EFS certificate in the Certificates snap-in.

The following is an example of output from the cipher command.

X:\>cipher /k 
Your new file encryption certificate thumbnail information on the PC named WK-01 is:
  AEE8 15AD 68EE B640 9CD7 C25F 4E98 4CBC C2D9 7378
Note 

If you generate a new certificate and key by using cipher /k, new files are encrypted using the new public key. Existing encrypted files are decrypted by using the old private key, which continues to be stored in the user s profile.

Replacing Self-Signed Certificates with CA-issued Certificates

Self-signed certificates enable users to use EFS in the absence of a public key infrastructure or Active Directory. When a CA is deployed, however, PKI administrators need to migrate users from their existing self-signed certificates to CA-issued certificates. Otherwise, EFS continues to use the self-signed certificate, even if a CA has issued a new certificate.

Users can request new CA-issued file encryption certificates for EFS to replace their existing self-signed file encryption certificates by using the cipher command.

To request a CA-issued file encryption certificate

This causes WindowsXP Professional to archive the existing self-signed certificate and request a new one from a trusted CA. Any files that have been encrypted by using the earlier public key can still be decrypted, and when they are subsequently saved, they can be encrypted by using the new public key.

Warning 

Archived certificates must not be deleted. When a certificate is deleted, the corresponding private key is also deleted. Without the private key, files previously encrypted cannot be decrypted. Users can use the cipher /u command to update encrypted files on local drives by using the new keys.

The cipher utility can be called in a logon script to automatically and invisibly migrate users. This utility only works locally. It cannot request new certificates for files that have been encrypted on remote servers.

Note 

If the cipher /k command is used to replace a self-signed certificate, but no trusted enterprise CA can be located, the existing self-signed certificate is replaced with a new self-signed certificate.



Previous page
Table of content
Next page
Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON
Beginning Cryptography with Java
C++ How to Program (5th Edition)
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy