Using the Cipher.exe utility to migrate self-signed certificates to certification authority-issued certificates (295680)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Professional SP1
This article was previously published under Q295680 SUMMARY This article describes the process of using the Cipher.exe
command-line utility to facilitate the migration of users from their existing
self-signed certificates to certification authority (CA)-issued certificates.
MORE INFORMATION Encrypting File System (EFS) uses digital certificates to
enable the encryption and the recovery of user files. In the absence of a
certification authority (CA) that is capable of issuing file encryption
certificates, the EFS service generates a new certificate and digitally signs
it with the private key of the user. This certificate is known as a self-signed
certificate. Self-signed certificates enable users to utilize EFS in
the absence of a public key infrastructure (PKI) or Active Directory. However,
these certificates cannot be centrally managed by administrators. When a CA has
been deployed, the management of user certificates in the enterprise becomes
much easier, but administrators are then faced with the problem of migrating
users from their existing self-signed certificates to CA-issued certificates.
Cipher.exe is a command-line utility that is available in Windows
2000. With this utility, users can request new CA-issued file encryption
certificates to replace their existing self-signed file encryption
certificates. The cipher /k command can cause Windows 2000 to archive the existing
self-signed certificate and request a new one from a CA. Any files that have
been encrypted with the earlier public key can still be decrypted, and when
they are subsequently saved, they can be encrypted with the new public
key. The Cipher utility can be called in a logon script to
automatically and invisibly migrate users. This utility only works locally; it
cannot request new certificates for files that have been encrypted on remote
servers. The
cipher /k command does not adjust the registry subkey that controls what
certificate is used for file encryption. To use the newly requested certificate that was created through cipher /k, the following registry subkey has to have the
fingerprint of the certification authority-issued certificate. Otherwise, EFS
continues to encrypt files with the self-signed certificate. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys Copy the thumbprint out of the certification authority-issued certificate, and then paste it into the registry subkey. To do this, follow these
steps:
- Click Start, click Run,
type certmgr.msc in the Open box, and
then click OK.
- Locate the certification authority (CA)-issued
certificate.
- Double-click the certificate, click the
Details tab, click Thumbprint, and then copy
the thumbprint data that appears in the box that is below the thumbprint.
- Open Registry Editor, and then locate the registry subkey
that was mentioned earlier.
- In the right pane, click CertificateHash,
click Edit, and then click Modify.
- Paste the thumbprint data that you copied in step 3 into the
Value data box, and then click OK.
- Close Registry Editor.
Note If the certification authority is not available or is not
configured to issue file encryption certificates, the cipher /k command will
cause the local EFS service to issue a self-signed certificate to the user.
| Modification Type: | Minor | Last Reviewed: | 1/27/2006 |
|---|
| Keywords: | kbinfo KB295680 |
|---|
|