|
Posted by Steven L Umbach on May 19, 2006, 5:26 pm
Please log in for more thread options I know this works for W2003 but not sure on W2K but you could try running
the command certutil -cainfo on it to find out details as shown in the
example below for CA type.
E:\Documents and Settings\Administrator>certutil -casino
Exit module count: 1
CA name: MP3
Sanitized CA short name (DS name): MP3
CA type: 0 -- Enterprise Root CA
UNUM_ENTERPRISE_ROTA -- 0
The book you bought is outstanding and should get you well on your way to
setting up your new CA. Keep in mind that if you install your enterprise CA
on Windows 2003 Enterprise instead of Windows Standard you will have many
more options to manage your PKI such as configurable version 2 certificate
templates, the ability to have autoenrollment for user certificates, and be
able to archive private keys used for encryption such as those used for EFS.
Having said that you will do fine implementing EFS if you have to use
Windows 2003 Standard as users still will automatically get EFS certificates
from the CA assuming everything is configured correctly. Until you get the
book the links below may help. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/d2ff1315-1712-48e4-acdc-8cae1b593eb11033.mspx?mfr=true
--- see designing a public key infrastructure
http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
> Hi Steven,
>
> Thanks for the answer and suggestions.
>
> To be honoust, I havn't figured out where I can see if the CA is an
> enterprise CA for the domain. It's and old CA running windows 2000. It's a
> member of the domain, but thats about all I know about it.
>
> To be honoust im playing with the thought, to remove from AD and install a
> new windows 2003 Enterprise CA and design it correct (If I can figure out
> how
> to do that *Grins*)
>
> I've just ordered "Microsoft® Windows ServerT 2003 PKI and Certificate
> Security " by Brian Komar, since my understanding of PKI is only basic and
> I
> need a bit more.
>
> Thats also the reason why im a in doubt, with the present situation. But I
> would very much like a real EFS design with recovery agents etc.
>
> So If you have a link to some good guides I would very much appreciate it.
>
> Yours Sincerely,
> Benjamin
>
> "Steven L Umbach" wrote:
>
>> Is your CA an enterprise CA?? If it is you should be able to logon to a
>> known secure domain computer as a domain administrator and request a new
>> Recovery Agent Certificate via the mmc snapin for certificates for user
>> and
>> then going to the personal/certificates folder, right click, select all
>> tasks - request certificate. If that works you can export the RA
>> certificate
>> [not including private key] to a .cer file and then import that into your
>> Group Policy PKI setting for EFS. Also you would then want to export the
>> RA
>> certificate and private key to a password protected .pfx file in offline
>> media and store in a couple very secure places and you may want to delete
>> it
>> from the computer you generated it on. --- Steve
>>
>>
>> > Greetings all,
>> >
>> > Thanks for a great forum with alot of knowledge. Hope I one day have
>> > the
>> > time to search it through and read all the interesting articles
>> >
>> > But back to the topic. I've recently got the task to figure out a way
>> > to
>> > encrypt the companys data on laptops. My first thought was to wait on
>> > Vista
>> > with BitLocker, but thats to far away in the horisont.
>> >
>> > So I desided to use the build in EFS in windows.
>> > I tried to rightclick on a folde and select advance and then encrypt
>> > but
>> > did
>> > receive the following error:
>> >
>> > An error...Recovery policy configured for this system contains invalid
>> > recovery certificate.
>> >
>> > I did enter the rsop.msc on the client and looked under "Conputer
>> > configuration"-->"Windows settings"-->"Public Key
>> > Policies"-->"Encrypting
>> > File System", and here I find an old default certificat, which is no
>> > longer
>> > valid. It's issude to "Administrator" and byt the "administrator", so
>> > its
>> > proberly the default one from when the AD was created.
>> >
>> > If I enter Active Directory Users and Computers and enter the "default
>> > domain policy" and looks under the above "road" I can see thats it's
>> > here
>> > the
>> > certificate gets distributed.
>> >
>> > Now my problem is that I want people to be able to encrypt files again
>> > using
>> > EFS, but I also want us "the company/administrators" to be able to
>> > decrypt
>> > the files if an empleey leaves. Any suggestoins on how I create/renew
>> > the
>> > setup?
>> >
>> > The network consists of 3 AD servers running windows 2003. We also have
>> > an
>> > old CA running windows 2000 which is a member of the domain (but no
>> > real
>> > PKI
>> > atm).
>> >
>> > Is there and easy way to make 2 recovery agenst and distributed them in
>> > AD,
>> > so the users can encrypt files? And that the administrators can recover
>> > encryptes files if a profile is lost etc.
>> >
>> > Thanks in advance for any reply's or links to place's where I can find
>> > any
>> > knowledge about this topic.
>> >
>> > I've looked a bit on the following, which explains abit about it,
>> > except
>> > the
>> > default administator certificate which is exspired in a domain.
>> > http://www.atlguide2000.com/windowsxp/index.php?act=view&aid=114
>> >
>> > Btw any suggestions on a good Windows Certificate book, would be
>> > appreciated. One there tell the basis and then how to make a fully use
>> > in
>> > an
>> > Windows 2003 environment with Exchange 2003 and ISA 2004. Alwayes nice
>> > to
>> > have something to read in the sparetime
>> >
>> > Yours Sincerely,
>> > Benjamin
>>
>>
>>
| 
XML Sitemap