EFS (Encrypting File System) Why does every user have two certificates.

From: Scott Beattie (scottbeattie@comcast.net)
Date: 03/03/03

  • Next message: J Myers: "Windows Updates" 
    From: "Scott Beattie" <scottbeattie@comcast.net>
Date: Sun, 2 Mar 2003 22:15:52 -0700

    I have been experimenting with EFS (Encrypting File System) during the last
    week. It seems that two certificates are created for each user the first
    time that the user encrypts a file, or when a users runs the cipher /k
    command. Both certificates seem to be have an identical thumbprint, an
    intended purpose of Encrypting File System, and both indicate the presence
    of a private key. The only difference seems to be that one certificate is
    placed in Current User/Personal/Certificates and the other is palced in
    Current User/Trusted People/Certificates. What exactly is the relationship
    between these two certificates. If I export and remove the private key of
    one of the certificates I can still unencrypt existing files and encrypt new
    ones. If I attempt to export the private key of the remaining
    certificate - exporting the private key is not an option. Deleting either
    copy of the certificate allows encryption and unencryption to funtion.
    Deleting both of the certificates results in two new certificates being
    created the next time a file is encrypted but also prevents unencryption of
    the existing files unless another use was set up as recovery agent or the
    original exported certificate and private key are restored. I find the two
    certificates to be a bit confusing and would like to know what exactly is
    the reasoning behind the two certificates.

    Relevant Pages

    • Re: EFS: Is it recoverable?
      ... felt it would be necessary to reinstall windows. ... How can i tell if i have the certificates installed on the hard drive? ... Look for any certificates that include encrypting file ... Ensure that you include the private key in the export. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: EFS (Encrypting File System) Why does every user have two certificates.
      ... Is there a quick way to locate the EFS White Paper? ... > a copy of the user cert but not the private key. ... It seems that two certificates are created for each user the ... >> intended purpose of Encrypting File System, ...
      (microsoft.public.windowsxp.security_admin)
    • help please on passwords, encryption etc
      ... I have several questions about password protection and encrypting ... private or encrypted folders? ... recovery key, but without success. ... Console Root / Certificates / Trusted People shows my logon but then ...
      (microsoft.public.windowsxp.security_admin)
    • Re: EFS Certificate Needed
      ... The certificates I have were recently installed days after the files ... re-installed Windows after the encryption. ... that recovery agent will only have ... Best practices for the Encrypting File System ...
      (microsoft.public.security)
    • Authentication/Authorization Issues
      ... I am encrypting my username token and password using X.509 ... certificates. ... According to the membership of the user in different groups, ... directory lookups. ...
      (microsoft.public.dotnet.framework.webservices.enhancements)