EFS certificate renewal

[Jason Darst]

We use EFS in our organization and have a Windows 2003 Enterprise CA
issueing the certificates for it. We are approaching the renewal time
and I was looking for some details about how Windows 2000 or Windows XP
handles the renewal process from the client. I know the high level of
once the renewal period is reached, if auto-enrollment and renewal is
allowed in group policy the computer will request a renewal

The questions come in because we have laptops that go for a long period
of time not connected to our network. So the following questions arise:

What triggers a renewal request? Access of an EFS certificate? Login to
the PC? First bootup? Change in network interfaces? Change in IP
address?

If the computer is not connected when the renewal period is first
reached, what happens?

If the first renewal request is not successful because the Enterprise CA
is not reachable (laptop is external to the network at the time) will it
retry?

If it retries, what is the trigger for it to retry and how often does it
do it?

If the expiration period is reached, and group policy says it is to use a
specified Enterprise CA and that CA is not reachable, will it still
generate a self signed certificate?

Any answers to these questions would be much appreciated. The technet
documentation I can find just doesn't go to this level of detail. And
I'm worried that I'm going to have laptops that are sporadically
connected missing their renewal chances and issueing self signed
certificates, whicih would be a mess.

Thank you.

 

[Miha Pihler]

Hi Jason,

my answers are in-line. I hope they help,

We use EFS in our organization and have a Windows 2003 Enterprise CA
issueing the certificates for it. We are approaching the renewal time
and I was looking for some details about how Windows 2000 or Windows XP
handles the renewal process from the client. I know the high level of
once the renewal period is reached, if auto-enrollment and renewal is
allowed in group policy the computer will request a renewal

The questions come in because we have laptops that go for a long period
of time not connected to our network. So the following questions arise:

What triggers a renewal request? Access of an EFS certificate? Login to
the PC? First bootup? Change in network interfaces? Change in IP
address?

Group Policy. When client boots up, it will look for DC to connect to.

If the computer is not connected when the renewal period is first
reached, what happens?

Nothing. Again client tries to connect to DC and update group policy and
perform tasks defined in group policy.

If the first renewal request is not successful because the Enterprise CA
is not reachable (laptop is external to the network at the time) will it
retry?

Yes, it will "retry" -- or better said it will try to renew once it can
connect to DC and CA server.

If it retries, what is the trigger for it to retry and how often does it
do it?

I would say, till it has a valid certificate -- but it can depend on your
settings...

 

[Jason Darst]

Thanks Miha for the information. That at least gives me an idea.

 

[Miha Pihler]

You are welcome.

Don't forget to update any Data Recovery Agent keys. If they expire users
won't be allowed to encrypt the files. After you replace DRA users must
"touch" their encrypted files to update them with new DRA. You can also do
this with logon script where you run

cipher /u

Mike

 

[Robert Gu [MSFT]]

When cert reaches the end of life, say %20, some event would trig
Auto-Enrollment, such as Logon On, GPO update, timer and etc. When these
trigs happen and you are online, the cert will be renewed. If not and cert
expires, when you do EFS, EFS will try to get a cert if there is no valid
EFS cert available in your MY store. If there is any valid EFS cert in MY
store EFS will pick up that one. If no, then EFS will try to get one from
CA. When EFS tries to get the cert and you are offline, self-signed cert
will be issued in existing OS.