Click here to get back home

Which EFS certificate used?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Which EFS certificate used? Marv Sun 01-20-2008
Posted by Marv Sun on January 20, 2008, 2:56 pm
Please log in for more thread options
 Folks,

If my workstation (running XP) has multiple certificates that are qualified
for EFS encryption, which one will be selected when a file is enabled for
EFS? It seems there are no choices for user to select manually.

Thanks in advance for your kind feedback.

Marvin


Posted by Martin Rublik on January 21, 2008, 2:35 am
Please log in for more thread options
 Take a look at this article:
http://technet2.microsoft.com/windowsserver/en/library/04122595-5d30-4b19-945a-b6e4bb33bd6f1033.mspx?mfr=true
You are looking for registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys
that contains certificate hash that is used for encryption.

Hope this helps

Martin



Marv Sun wrote:
> Folks,
>
> If my workstation (running XP) has multiple certificates that are
> qualified for EFS encryption, which one will be selected when a file is
> enabled for EFS? It seems there are no choices for user to select
> manually.
>
> Thanks in advance for your kind feedback.
>
> Marvin

Posted by Marv Sun on January 21, 2008, 10:59 pm
Please log in for more thread options
Thanks Martin.

In the registry HKCU\....\EFS\Currentkeys, it did show the Certificate's
thumbprint that EFS used to encrypt my files. The thumbprint in this case
is my "Administrator" certificate that has multiple EKUs, including EFS,
SMIME etc.

But my question is why this particular certificate is selected by OS to do
EFS? In my user certificate store, I have two more certificates that both
contains EKU for EFS, why they are not used? Does user have a choice to
select which certificate to do EFS?

Thanks again for sharing.

Marvin

> Take a look at this article:
>
http://technet2.microsoft.com/windowsserver/en/library/04122595-5d30-4b19-945a-b6e4bb33bd6f1033.mspx?mfr=true
> You are looking for registry:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows
> NT\CurrentVersion\EFS\CurrentKeys that contains certificate hash that is
> used for encryption.
>
> Hope this helps
>
> Martin
>
>
>
> Marv Sun wrote:
>> Folks,
>>
>> If my workstation (running XP) has multiple certificates that are
>> qualified for EFS encryption, which one will be selected when a file is
>> enabled for EFS? It seems there are no choices for user to select
>> manually.
>>
>> Thanks in advance for your kind feedback.
>>
>> Marvin


Posted by Martin Rublik on January 22, 2008, 2:48 am
Please log in for more thread options
The certificate for encryption is chosen (or generated) at the time the user
encrypts data for the first time.

Afterwards (if it is time valid) you can change it only by modifying the
registry. If you want to change the certificate just set the hash in the
registry to desired one (from your's certificate store).

More info on the format of the hash and the key can be found in this discussion
http://tinyurl.com/2u8au3

As for the choice of the user there is only the registry editor or EFS
Certificate Configuration Updater http://www.codeplex.com/EFSCertUpdater (I have
never tried it by myself). I hope this helps. Feel free to ask if you have more
questions, and feel free to correct any of mine statements if they're wrong :).

Regards

Martin

Marv Sun wrote:
> Thanks Martin.
>
> In the registry HKCU\....\EFS\Currentkeys, it did show the Certificate's
> thumbprint that EFS used to encrypt my files. The thumbprint in this
> case is my "Administrator" certificate that has multiple EKUs, including
> EFS, SMIME etc.
>
> But my question is why this particular certificate is selected by OS to
> do EFS? In my user certificate store, I have two more certificates that
> both contains EKU for EFS, why they are not used? Does user have a
> choice to select which certificate to do EFS?
>
> Thanks again for sharing.
>
> Marvin
>
>> Take a look at this article:
>>
http://technet2.microsoft.com/windowsserver/en/library/04122595-5d30-4b19-945a-b6e4bb33bd6f1033.mspx?mfr=true
>> You are looking for registry:
>>
>> HKEY_CURRENT_USER\Software\Microsoft\Windows
>> NT\CurrentVersion\EFS\CurrentKeys that contains certificate hash that
>> is used for encryption.
>>
>> Hope this helps
>>
>> Martin
>>
>>
>>
>> Marv Sun wrote:
>>> Folks,
>>>
>>> If my workstation (running XP) has multiple certificates that are
>>> qualified for EFS encryption, which one will be selected when a file
>>> is enabled for EFS? It seems there are no choices for user to
>>> select manually.
>>>
>>> Thanks in advance for your kind feedback.
>>>
>>> Marvin
>

Posted by Marv Sun on January 26, 2008, 6:43 pm
Please log in for more thread options
Thanks again, Martin!

Marvin

> The certificate for encryption is chosen (or generated) at the time the
> user encrypts data for the first time.
>
> Afterwards (if it is time valid) you can change it only by modifying the
> registry. If you want to change the certificate just set the hash in the
> registry to desired one (from your's certificate store).
>
> More info on the format of the hash and the key can be found in this
> discussion http://tinyurl.com/2u8au3
>
> As for the choice of the user there is only the registry editor or EFS
> Certificate Configuration Updater http://www.codeplex.com/EFSCertUpdater
> (I have never tried it by myself). I hope this helps. Feel free to ask if
> you have more questions, and feel free to correct any of mine statements
> if they're wrong :).
>
> Regards
>
> Martin
>
> Marv Sun wrote:
>> Thanks Martin.
>>
>> In the registry HKCU\....\EFS\Currentkeys, it did show the Certificate's
>> thumbprint that EFS used to encrypt my files. The thumbprint in this
>> case is my "Administrator" certificate that has multiple EKUs, including
>> EFS, SMIME etc.
>>
>> But my question is why this particular certificate is selected by OS to
>> do EFS? In my user certificate store, I have two more certificates that
>> both contains EKU for EFS, why they are not used? Does user have a
>> choice to select which certificate to do EFS?
>>
>> Thanks again for sharing.
>>
>> Marvin
>>
>>> Take a look at this article:
>>>
http://technet2.microsoft.com/windowsserver/en/library/04122595-5d30-4b19-945a-b6e4bb33bd6f1033.mspx?mfr=true
>>> You are looking for registry:
>>>
>>> HKEY_CURRENT_USER\Software\Microsoft\Windows
>>> NT\CurrentVersion\EFS\CurrentKeys that contains certificate hash that is
>>> used for encryption.
>>>
>>> Hope this helps
>>>
>>> Martin
>>>
>>>
>>>
>>> Marv Sun wrote:
>>>> Folks,
>>>>
>>>> If my workstation (running XP) has multiple certificates that are
>>>> qualified for EFS encryption, which one will be selected when a file is
>>>> enabled for EFS? It seems there are no choices for user to select
>>>> manually.
>>>>
>>>> Thanks in advance for your kind feedback.
>>>>
>>>> Marvin
>>

Similar ThreadsPosted
"No Certificate Templates Could Be Found" Error Message When User Requests Certificate from CA Web Enrollment Pages September 21, 2006, 1:31 pm
Create Certificate Request for Windows2003 certificate authority without using website March 22, 2006, 8:07 am
Problem when requesting a certificate to IIS server (certificate web enrollment) October 4, 2005, 9:50 am
Restrict AD-User to one X509 Certificate per Certificate template? July 12, 2007, 12:18 pm
Problem when requesting a certificate with IIS (certificate web enrollment) October 4, 2005, 9:45 am
Certificate FQDN example.local domain using example.com certificate October 31, 2006, 7:40 am
Using Self-Issued Certificate in lieu of 3rd Party Certificate July 20, 2007, 10:24 am
Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ? March 26, 2008, 6:20 am
Can't Get Certificate to IAS August 25, 2006, 8:58 pm
Re: Certificate December 13, 2007, 8:41 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap