RE: [ActiveDir] [OT] Generating EFS Recovery Certificate

[Bernier, Brandon \(.\)]

Title: [OT] Generating EFS Recovery Certificate

If only we had an enterprise CA implemented.....You were right about makecert.exe if you wanted to do it and have the cert look just like the cipher.exe one it would look like this. The only down side to make cert is that it doesn't make a .pfx file so you need to manually create that. Thanks for the help!   makecert -r -pe -n "OU=EFS File Encryption Certificate,L=EFS,CN=Administrator" -a sha1 -e 12/31/2008 -eku 1.3.6.1.4.1.311.10.3.4.1  -ss my testefs.cer   -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Thursday, January 05, 2006 12:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Generating EFS Recovery Certificate You can use an MS Ent CA to do this ( just copy and edit the V2 template) .. or you should be able to  specify the OID "1.3.6.1.4.1.311.10.3.4.1 "  in your call to CryptEncodeObject to create one. Optionally, you can try makecert.exe ( but I have never tried this )   spat   ----- Original Message ----- From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Thursday, January 05, 2006 7:14 AM Subject: [ActiveDir] [OT] Generating EFS Recovery Certificate Sorry for the off topic question. Here is the background... Remember when you first bring up a DC and it generates a self-signed EFS Recovery Certificate? Well what do you do when you don't know about that and 5 years down the road you want to implement a recovery solution and that original DC is long gone? Well one way would be you can use Cipher.exe to generate another EFS Recovery cert and create a domain recovery agent using that cert and re-touch all your encrypted files across each PC. Great, no biggie. But let's say you want to put the this cert on a secure USB key fob, so it's cant be copied off or tampered with but your unnamed vendor doesn't support certs that are issued out for 100 years. So basically I need another way to generate a EFS Recovery Certificate that doesn't go out for 100yr, I'd like to control the issuing date. Does anyone know another way to go about this? It is unknown to me if I can use the Crypto API to generate a self-signed cert with whatever the EFS Recovery OID is. Thanks again for any input! -Brandon