Re: EFS and Certificate Services
From: Rschraeger (Rschraeger_at_discussions.microsoft.com)
Date: 08/25/05
- Next message: Rschraeger: "RE: Remove MS AntiSpyware or Add Exception"
- Previous message: Wayne A. Harris: "Certutil -dsaddtemplate"
- In reply to: Brian Komar: "Re: EFS and Certificate Services"
- Next in thread: Paul Adare: "Re: EFS and Certificate Services"
- Reply:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Aug 2005 05:22:01 -0700
Thanks for the responce.
Why not take the root offline? Isn't it best practice to take the root
offline after it has given it's cert to the sub. CA?
Also this is a Windows 2000 CA so we can not do V2 certs.
The user is encrpting a single file on their local machine which is joined
to the domain. A EFS cert. is issued from the Sub. CA and 1 minute- 5
minutes later a second EFS cert is issued. The first cert. is the one that
is used for all encryption. The second one is not used.
Question is why the two certs?
I can't beleive this is the first time this has happended. I called MS and
they were stumped on why this was happening. So far they say its a bug and
do not know if there is a workaround.
Come on I can't be the only one that is trying to use a CA to issue EFS
certs on Windows 2000.
-- RS MCSE, MCP +I MCP "Brian Komar" wrote: > Answers inline: > > In article <3659CB09-D379-4DC3-9C8C-2EF8690EF7D2@microsoft.com>, > Rschraeger@discussions.microsoft.com says... > > Ok I'm hopping that this is a bug in the software but in reality its realy > > bugging me. > > > > I created a Enterprise Root CA with a Enterprise Subordinate CA for issuing > > EFS certificates. The Root CA is offline. > > An Enterprise Root CA computer cannot be offline. An enterprise Root CA > must be a domain member, and integrates with AD, not allowing it to be > removed from the network. > > > The client, a 2000 pro machine, is in the Domain and the user is a normal user of the domain (domain users) > > and is in the administrators group on the local machine. > > > > No need to be in the local Administrators group > > > When the user encryptes a file a certificate from the Subordinate CA is > > issue. I check the thumbprint of the file and the certificate which matched. > > So far..so good. Then 5 minutes or so later a second certificate for EFS is > > issued from the CA. This certificate has a different thumbprint and is never > > used for EFS. Why the two certs? and how can I get only one! > > The best practice is to issue the certificates *before* any encryption > is attempted. I would recommend a custom v2 certificate template that > implements key archival. Ensure that it is deployed using CAPICOM before > attempting encryption. > > Where are they doing the encryption? If they are issued a single > certificate, the client should not request another certificate unless > encryption is attempted on a remote server. In this case, another cert > would be requested for storage in the user's profile on the remote > server. > > > > > PLEASE HELP!!! > > > > -- > == > Brian Komar > MVP - Windows - Security > http://www.identit.ca/blogs/brian >
- Next message: Rschraeger: "RE: Remove MS AntiSpyware or Add Exception"
- Previous message: Wayne A. Harris: "Certutil -dsaddtemplate"
- In reply to: Brian Komar: "Re: EFS and Certificate Services"
- Next in thread: Paul Adare: "Re: EFS and Certificate Services"
- Reply:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
