EFS in a 2003 Native Domain with third party PKI certificates.

J

John Collins

Didn't find a group specifically for EFS...please advise correct group for
EFS questions.

We have an AD 2003 native forest/domain not currently set up for domain-wide
EFS. However we all (users) have issued 1024 bit PKI certificates that can
be seen on the Published Certificate tab in ADUC. The certificates are also
on Smart Cards that everyone has and can use to log on to domain PCs with.

Is it possible to now implement a domain-wide EFS process utilizing these
already issued certficates? If so can someone point me to some specific
guidance on using third party certificates? TIA.

Regards,

John
 
J

John Collins

The certficate was issued by DoD for both the Smart Card logon process,
encrypting email, and signing email.

I've now reviewed the document (thanks for pointing it out) and it seems to
me that our certificate may be good for EFS, but I'm not familiar enough
with this stuff to make an explicit determination.

Our Key Usage field shows Key Encipherment (20) and the properties show
"Enable all purposes for this certificate." However there is no Key Info
field that I can find.

Regards,

John
 
P

Paul Adare

microsoft.public.windows.server.security news group, John
Collins said:
The certficate was issued by DoD for both the Smart Card logon process,
encrypting email, and signing email.

I've now reviewed the document (thanks for pointing it out) and it seems to
me that our certificate may be good for EFS, but I'm not familiar enough
with this stuff to make an explicit determination.

Our Key Usage field shows Key Encipherment (20) and the properties show
"Enable all purposes for this certificate." However there is no Key Info
field that I can find.
Click to expand...

If the certificate doesn't specifically have the EFS OID,
which according to what you've posted above, it does not,
then no, you can't use it for EFS.

Even if it did have that OID you still wouldn't be able to
use it with EFS as you can't use a certificate on a smart
card for EFS unless you're running Vista or Longhorn.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a
joke--or a lie. How lucky Adam was. He knew when he said a
good thing, nobody had said it before. Adam was not alone
in the Garden of Eden, however, and does not deserve all
the credit; much is due to Eve, the first woman, and Satan,
the first consultant." - Mark Twain
 
J

John Collins

The certificate has been published to AD. It is not exclusively just on the
smart card. Could you give me specific instructions to check the OID? I'm
sorry that I'm not more PKI aware.

Regards,

John
 
P

Paul Adare

microsoft.public.windows.server.security news group, John
Collins said:
The certificate has been published to AD. It is not exclusively just on the
smart card.
Click to expand...

The fact that the certificate has been published to AD
doesn't matter. The private key of the certificate is only
located on the smart card and without that, you can't
decrypt anything. Your encryption certificate is not
published to AD for your usage, it is published there for
others to use if they want to share an encrypted file with
you. They would then grab your public key from the
directory to be used by EFS. However, you'd still need your
private key to decrypt and you can't do that when the key
is stored on a smart card. Trust me, you can't use EFS in
Windows 2000, XP, or Windows Server 2003 when your EFS cert
is on a smart card. It just isn't possible.
Could you give me specific instructions to check the OID? I'm
sorry that I'm not more PKI aware.
Click to expand...

Double-click the certificate (run certmgr.msc), on the
Details tab, look at Enhanced Key Usage. However, as above,
if the cert is on a smart card, even if it has the correct
OID in the EKU you can't use it.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a
joke--or a lie. How lucky Adam was. He knew when he said a
good thing, nobody had said it before. Adam was not alone
in the Garden of Eden, however, and does not deserve all
the credit; much is due to Eve, the first woman, and Satan,
the first consultant." - Mark Twain
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

EFS Auto enroll 0
Help with EFS 1
Encrypting Remote Files with EFS 4
Diff Encryption Certificates used by diff users in same AD domain. 6
Published certificates in active directory 1
Can't publish Windows Server 2003 Certificates in Win2k Active Directory properly 1
Need Help with my PKI again 2
exchange 2000 in a 2003 domain 1

Top