PKI, External CA, EFS ?

Discussion in 'Security Software' started by Donald Welker, Oct 30, 2003.

  1. The following assume Windows 2000, XP, or 2003, but AD may or may not be
    available.

    1. Is it possible to set up a certificate issued by an external CA to be
    used for EFS encryption?

    2. Is it possible to set up a certificate issued by an external CA to act as
    an EFS recovery agent, or must all recovery agents be created in Windows?

    3. Assuming the answer to 1 is no, what processes or products exist to
    encrypt files and folders using externally-issued certificates that are
    located in the user's Windows certificate store?

    Resp.
    Don Welker
     
    Donald Welker, Oct 30, 2003
    #1
    1. Advertisements

  2. 1. yes.

    2. yes, you can use a third party CA

    3. just install a valid third party cert and it should work automatically

    EFS:
    http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/default.asp

    http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/WinNETSrvr-EncryptedFileSystem.asp

    Third-Party Certificate Authority Support for Encrypting File System
    (Q273856

    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q273856
     
    David Cross [MS], Oct 31, 2003
    #2
    1. Advertisements

  3. Thanks David, that's good info.

    I would also like to flag MSKB Article 331333 for those with XP in NT4
    domains.

    Unfortunately my CA doesn't implement the correct usage extensions so I
    guess I don't have a "valid third part cert" -- at least now I know what's
    broken.

     
    Donald Welker, Oct 31, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.