KateR
07-09-2005, 10:50 PM
All Windows 2003 environment.
Requirement is to have an EFS recovery certificate for the domain that has
a 20 year expiration period.
What I've done.
Install & Setup Domain/DC
Install & Setup Windows 2003 Enterprise server and add it to the test domain
as a member server. This is installed as an enterprise root certification
authority.
Secure the Default EFS Recovery Key for the Domain Controller (create a
*.cer) *** Note the default EFS recovery key has a 3 year expiration, in
this case April 25 2005 through April 25, 2008. However, it was generated
by default by the Domain Admin as part of the DC install.***
Use the Enterprise CA server to create a new EFS Recovery certificate
TEMPLATE with a 20 year expiration.
Created the certificate. *** Note the expiration is 20 years, select
publish to AD. Select allow Authenticated users can enroll and autoenroll.
Select this template supercedes the previous. Select re-enroll any existing
certificates.
Create a policy for users designated as recovery agents by creating a group
Domain Recovery agents and added Administrator and some other users to the
group. Added the Domain Recovery Agents group to the 20 Year EFS Recovery
Template. They have permission to Enroll certificates. ( With Domain
Recovery Agents selected in the top pane, select the Enroll check box in the
bottom pane. )
Next I want to request a 20 year EFS recovery cert to apply to the domain.
Click Certificates, and click Add. Select My user account and then
click Finish. Click Close. Click OK.
Click the + next to Certificates-Current User.
Right-click Personal in the left pane, click All Tasks, and click
Request New Certificate. This starts the Certificate Request wizard.
The first page of the wizard is informational. Click Next to
continue.
A list of certificate templates is displayed. Click 20 year EFS
Recovery Agent, and click Next.
Type in a friendly name that you can use to distinguish this
certificate from others. Add a description if you desire. Click Next.
The next page shows you the summary of your choices. Click Finish to
obtain the certificate.
Click Install Certificate and then click OK.
Then I exported the certificate to a *.cer and a *.pfx file.
Click the Start button, point to Programs, point to Administrative Tools,
and then select Domain Security Policy.
Click the + next to Security Settings.
Click the + next to Public Key Policies.
Click Encrypted Data Recovery Agents. Now right-click it and click Add. The
Add Recovery Agent wizard starts. Click Next.
Click Browse Folders.
Click the certificate that was created in the previous steps,
exportnewcertificate.cer, and click Open.
Click Next, and then click Finish.
The new certificate now appears in the right pane of the Domain Security
Policy snap-in.
Wonderful ! Except when I review the new certs details I find that the
expiration is 2 years not 20. . 5/4/2005-5/4/2007. What happened to my 20
year template?
Thank your for your help. k
Requirement is to have an EFS recovery certificate for the domain that has
a 20 year expiration period.
What I've done.
Install & Setup Domain/DC
Install & Setup Windows 2003 Enterprise server and add it to the test domain
as a member server. This is installed as an enterprise root certification
authority.
Secure the Default EFS Recovery Key for the Domain Controller (create a
*.cer) *** Note the default EFS recovery key has a 3 year expiration, in
this case April 25 2005 through April 25, 2008. However, it was generated
by default by the Domain Admin as part of the DC install.***
Use the Enterprise CA server to create a new EFS Recovery certificate
TEMPLATE with a 20 year expiration.
Created the certificate. *** Note the expiration is 20 years, select
publish to AD. Select allow Authenticated users can enroll and autoenroll.
Select this template supercedes the previous. Select re-enroll any existing
certificates.
Create a policy for users designated as recovery agents by creating a group
Domain Recovery agents and added Administrator and some other users to the
group. Added the Domain Recovery Agents group to the 20 Year EFS Recovery
Template. They have permission to Enroll certificates. ( With Domain
Recovery Agents selected in the top pane, select the Enroll check box in the
bottom pane. )
Next I want to request a 20 year EFS recovery cert to apply to the domain.
Click Certificates, and click Add. Select My user account and then
click Finish. Click Close. Click OK.
Click the + next to Certificates-Current User.
Right-click Personal in the left pane, click All Tasks, and click
Request New Certificate. This starts the Certificate Request wizard.
The first page of the wizard is informational. Click Next to
continue.
A list of certificate templates is displayed. Click 20 year EFS
Recovery Agent, and click Next.
Type in a friendly name that you can use to distinguish this
certificate from others. Add a description if you desire. Click Next.
The next page shows you the summary of your choices. Click Finish to
obtain the certificate.
Click Install Certificate and then click OK.
Then I exported the certificate to a *.cer and a *.pfx file.
Click the Start button, point to Programs, point to Administrative Tools,
and then select Domain Security Policy.
Click the + next to Security Settings.
Click the + next to Public Key Policies.
Click Encrypted Data Recovery Agents. Now right-click it and click Add. The
Add Recovery Agent wizard starts. Click Next.
Click Browse Folders.
Click the certificate that was created in the previous steps,
exportnewcertificate.cer, and click Open.
Click Next, and then click Finish.
The new certificate now appears in the right pane of the Domain Security
Policy snap-in.
Wonderful ! Except when I review the new certs details I find that the
expiration is 2 years not 20. . 5/4/2005-5/4/2007. What happened to my 20
year template?
Thank your for your help. k