Re: Certificate template for EFS

From: Anand Abhyankar [MS] (ananda_at_online.microsoft.com)
Date: 03/31/05

• Next message: Lonewolph: "port 80 open?"
• Previous message: Nepatsfan: "Re: accessing password protected folders"
• In reply to: Milan Ojstersek: "Certificate template for EFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 30 Mar 2005 18:28:26 -0800

Check:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

EFS and Autoenrollment
EFS always attempts to enroll for the Basic EFS template by default. The EFS
component driver generates an autoenrollment request that autoenrollment
tries to fulfill. For customers who want to ensure that a specific template
is used for EFS (such as to include key archival), the new template should
supersede the Basic EFS template. The Basic EFS template should also be
removed from any Enterprise CA. This will ensure that autoenrollment will
not attempt enrollment for the Basic EFS template any more. For customers
who wish to replace the Basic EFS template with a certificate and key that
is archived through the Windows Server 2003, Enterprise Edition CA, the
proper procedure is to supersede the Basic EFS template with a new version 2
certificate template.

-- 
Thanks,
Anand Abhyankar [MS]
----
This posting is provided "AS IS" with no warranties, and confers no rights.
"Milan Ojstersek" <MilanOjstersek@discussions.microsoft.com> wrote in 
message news:BA80041B-03BC-45A7-A0FD-C3A674336F00@microsoft.com...
> Hi!
>
> EFS and MS Win2K3 CA and PKI are established in network.
> EFS on WinXP can get certificate (Basic EFS certificate template) on 
> demand
> where there is EFS encryption required (user changes encryption properties
> for folder).
> But EFS cannot get certificate from MS CA if certificate template is other
> than Basic EFS. If Basic EFS certificate template don't allow for 
> enrollment
> (based on user permissions or is not published on CA) then EFS issue
> self-issued EFS certificate which is not what we want. And the same
> functionality we get is if we have other certificate template with EFS 
> EKU.
> Of course this other certificate template is just copy of Basic EFS but it
> cannont be issued on demand like Basic EFS.
>
> Why just Basic EFS certificate template?
> What is the right solution?
>
> Your help will be very appreciated.
>
> Regards
> Milan Ojstersek 

---

• Next message: Lonewolph: "port 80 open?"
• Previous message: Nepatsfan: "Re: accessing password protected folders"
• In reply to: Milan Ojstersek: "Certificate template for EFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windowsxp.security_admin  > 2005-03