Windows 2003 CA Server and Templates Do not work for EFS!



KateR
07-09-2005, 10:50 PM
All Windows 2003 environment.
Requirement is to have an EFS recovery certificate for the domain that has
a 20 year expiration period.

What I've done.

Install & Setup Domain/DC
Install & Setup Windows 2003 Enterprise server and add it to the test domain
as a member server. This is installed as an enterprise root certification
authority.
Secure the Default EFS Recovery Key for the Domain Controller (create a
*.cer) *** Note the default EFS recovery key has a 3 year expiration, in
this case April 25 2005 through April 25, 2008. However, it was generated
by default by the Domain Admin as part of the DC install.***

Use the Enterprise CA server to create a new EFS Recovery certificate
TEMPLATE with a 20 year expiration.

Created the certificate. *** Note the expiration is 20 years, select
publish to AD. Select allow Authenticated users can enroll and autoenroll.
Select this template supercedes the previous. Select re-enroll any existing
certificates.


Create a policy for users designated as recovery agents by creating a group
Domain Recovery agents and added Administrator and some other users to the
group. Added the Domain Recovery Agents group to the 20 Year EFS Recovery
Template. They have permission to Enroll certificates. ( With Domain
Recovery Agents selected in the top pane, select the Enroll check box in the
bottom pane. )

Next I want to request a 20 year EFS recovery cert to apply to the domain.
Click Certificates, and click Add. Select My user account and then
click Finish. Click Close. Click OK.

Click the + next to Certificates-Current User.

Right-click Personal in the left pane, click All Tasks, and click
Request New Certificate. This starts the Certificate Request wizard.

The first page of the wizard is informational. Click Next to
continue.

A list of certificate templates is displayed. Click 20 year EFS
Recovery Agent, and click Next.

Type in a friendly name that you can use to distinguish this
certificate from others. Add a description if you desire. Click Next.

The next page shows you the summary of your choices. Click Finish to
obtain the certificate.

Click Install Certificate and then click OK.



Then I exported the certificate to a *.cer and a *.pfx file.

Click the Start button, point to Programs, point to Administrative Tools,
and then select Domain Security Policy.

Click the + next to Security Settings.

Click the + next to Public Key Policies.

Click Encrypted Data Recovery Agents. Now right-click it and click Add. The
Add Recovery Agent wizard starts. Click Next.

Click Browse Folders.

Click the certificate that was created in the previous steps,
exportnewcertificate.cer, and click Open.

Click Next, and then click Finish.

The new certificate now appears in the right pane of the Domain Security
Policy snap-in.

Wonderful ! Except when I review the new certs details I find that the
expiration is 2 years not 20. . 5/4/2005-5/4/2007. What happened to my 20
year template?

Thank your for your help. k

Steven L Umbach
07-09-2005, 10:51 PM
First off a certificate can never have a lifetime that is greater than the
expiration date of the Certificate Authority. In my experience by default
the RA certificate for Windows 2003 has a lifetime of two years. I have also
noticed that though you can create version two templates with lifetimes
longer than two years, it seems that two years is the maximum which is what
you are experiencing. With autoenrollment you can make sure that your RA
certificates are being renewed well before expiration but ALWAYS keep all of
your RA certificate/private keys even if they have expired as they still may
be used to recover files that were encrypted before they expired. The
efsinfo utility will display exactly which RA certificates/private keys can
decrypt EFS files. After a new RA is created, EFS files that are opened will
be updated to also use the new RA. If you have to you probably could use a
self signed RA certificate generated on an XP Pro computer with the cipher
command to be the RA for the domain. The self signed certificate may have a
long lifetime but be sure to test it out if you want to go that route. ---
Steve


"KateR" <KateR@discussions.microsoft.com> wrote in message
news:251AB90F-7C43-45C4-8FE7-BE54AB840975@microsoft.com...
> All Windows 2003 environment.
> Requirement is to have an EFS recovery certificate for the domain that
> has
> a 20 year expiration period.
>
> What I've done.
>
> Install & Setup Domain/DC
> Install & Setup Windows 2003 Enterprise server and add it to the test
> domain
> as a member server. This is installed as an enterprise root certification
> authority.
> Secure the Default EFS Recovery Key for the Domain Controller (create a
> *.cer) *** Note the default EFS recovery key has a 3 year expiration, in
> this case April 25 2005 through April 25, 2008. However, it was generated
> by default by the Domain Admin as part of the DC install.***
>
> Use the Enterprise CA server to create a new EFS Recovery certificate
> TEMPLATE with a 20 year expiration.
>
> Created the certificate. *** Note the expiration is 20 years, select
> publish to AD. Select allow Authenticated users can enroll and autoenroll.
> Select this template supercedes the previous. Select re-enroll any
> existing
> certificates.
>
>
> Create a policy for users designated as recovery agents by creating a
> group
> Domain Recovery agents and added Administrator and some other users to the
> group. Added the Domain Recovery Agents group to the 20 Year EFS Recovery
> Template. They have permission to Enroll certificates. ( With Domain
> Recovery Agents selected in the top pane, select the Enroll check box in
> the
> bottom pane. )
>
> Next I want to request a 20 year EFS recovery cert to apply to the domain.
> Click Certificates, and click Add. Select My user account and then
> click Finish. Click Close. Click OK.
>
> Click the + next to Certificates-Current User.
>
> Right-click Personal in the left pane, click All Tasks, and click
> Request New Certificate. This starts the Certificate Request wizard.
>
> The first page of the wizard is informational. Click Next to
> continue.
>
> A list of certificate templates is displayed. Click 20 year EFS
> Recovery Agent, and click Next.
>
> Type in a friendly name that you can use to distinguish this
> certificate from others. Add a description if you desire. Click Next.
>
> The next page shows you the summary of your choices. Click Finish to
> obtain the certificate.
>
> Click Install Certificate and then click OK.
>
>
>
> Then I exported the certificate to a *.cer and a *.pfx file.
>
> Click the Start button, point to Programs, point to Administrative Tools,
> and then select Domain Security Policy.
>
> Click the + next to Security Settings.
>
> Click the + next to Public Key Policies.
>
> Click Encrypted Data Recovery Agents. Now right-click it and click Add.
> The
> Add Recovery Agent wizard starts. Click Next.
>
> Click Browse Folders.
>
> Click the certificate that was created in the previous steps,
> exportnewcertificate.cer, and click Open.
>
> Click Next, and then click Finish.
>
> The new certificate now appears in the right pane of the Domain Security
> Policy snap-in.
>
> Wonderful ! Except when I review the new certs details I find that the
> expiration is 2 years not 20. . 5/4/2005-5/4/2007. What happened to my
> 20
> year template?
>
> Thank your for your help. k
>
>

KateR
07-09-2005, 10:51 PM
See the attachment for screen shots.

The root CA cert I used had a 25 year expiration. (Screen shot 1)
The EFS Template was set to expire at 25 years.

What is the purpose of an EFS template that one can modify if the modified
components don't apply? This is a rhetorical question to any MS engineers
out there.

NOTE: Equally perplexing is the fact the if I don't set up a CA an just use
the default certificate as generated by setting up the first DC, I get an
EFS recovery cert that is 3years. However the EFS certificate (not the
recovery but the file encryption cert) has an expiraton of 100 years.

(Screen shot 2)
Screen shot 2 is the default recovery set up by virtue of setting up the
first DC.


Ok I go back the the model that has a CA in it. I just tried using cipher
on the DC that has the modified EFS recovery templates to be 100 years.
Cipher created a recovery cert that has a hundred year expiration. Screen
shot 3.

So cipher works but using the Certificate mmc to create a new certificate
creates one with a 2 year expiration. ?

I think I am really confused at this state. In fact I know I am. Am I
missing some key concept here?

The following EFSInfo text shows the thumbprint for encryption of the new
directory.


************

Your current EFS certificate thumbnail information on the PC named SOSDC is:

8AF4 818B 5647 2D63 5042 19FB D1AF FC2C F7C4 70AA

c:\newcipher

: Encrypted

Users who can decrypt:

SOS\Administrator [Administrator(Administrator@SOS)]

Certificate thumbprint: 8AF4 818B 5647 2D63 5042 19FB D1AF FC2C F7C4
70AA

Recovery Agents:

Administrator

Certificate thumbprint: EF9D 869E 3070 35DB BDD2 D2A2 A832 721F D526
9909

Key Information:

Algorithm: AES

Key Length: 256

Key Entropy: 256





New Text Document.txt: Encrypted

Users who can decrypt:

SOS\Administrator [Administrator(Administrator@SOS)]

Certificate thumbprint: 8AF4 818B 5647 2D63 5042 19FB D1AF FC2C F7C4
70AA

Recovery Agents:

Administrator

Certificate thumbprint: EF9D 869E 3070 35DB BDD2 D2A2 A832 721F D526
9909

Administrator

Certificate thumbprint: 0C50 DBBC 0E80 5558 71A4 5C69 17EA EFFB E003
1D09

Key Information:

Algorithm: AES

Key Length: 256

Key Entropy: 256



Thanks for your assist. k


Windows 2003 CA Server and Templates Do not work for EFS!