Article ID: 295680 - View products that this article applies to.
This article was previously published under Q295680
This article describes the process of using the Cipher.exe command-line utility to facilitate the migration of users from their existing self-signed certificates to certification authority (CA)-issued certificates.
Encrypting File System (EFS) uses digital certificates to enable the encryption and the recovery of user files. In the absence of a certification authority (CA) that is capable of issuing file encryption certificates, the EFS service generates a new certificate and digitally signs it with the private key of the user. This certificate is known as a self-signed certificate.
Self-signed certificates enable users to utilize EFS in the absence of a public key infrastructure (PKI) or Active Directory. However, these certificates cannot be centrally managed by administrators. When a CA has been deployed, the management of user certificates in the enterprise becomes much easier, but administrators are then faced with the problem of migrating users from their existing self-signed certificates to CA-issued certificates.
Cipher.exe is a command-line utility that is available in Microsoft Windows 2000 and in Microsoft Windows XP Professional x64 Edition with Service Pack 2. With this utility, users can request new CA-issued file encryption certificates to replace their existing self-signed file encryption certificates.
The cipher /k command can cause Windows 2000 and Windows XP Professional x64 Edition with Service Pack 2 to archive the existing self-signed certificate and request a new one from a CA. Any files that have been encrypted with the earlier public key can still be decrypted, and when they are subsequently saved, they can be encrypted with the new public key.
The Cipher utility can be called in a logon script to automatically and invisibly migrate users. This utility only works locally; it cannot request new certificates for files that have been encrypted on remote servers.
The cipher /k command does not adjust the registry subkey that controls what certificate is used for file encryption. To use the newly requested certificate that was created through cipher /k, the following registry subkey has to have the fingerprint of the certification authority-issued certificate. Otherwise, EFS continues to encrypt files with the self-signed certificate.
Copy the thumbprint out of the certification authority-issued certificate, and then paste it into the registry subkey. To do this, follow these steps:
Cipher /k should replace the self-signed certificate. Cipher /k it tries to enroll for a Basic EFS certificate from an appropriately configured CA. If that process is unsuccessful, a new self-signed certificate is issued. If a Basic EFS certificate is issued, you can then auto-enroll for a new Version 2 certificate. If the template is configured correctly, the new Version 2 certificate supersedes any existing Basic EFS certificate and archives it in the user's personal store. However, on Windows XP, EFS continues to use the Basic EFS certificate and key for all encryption operations and decryption operations until this certificate expires. After this certificate expires, Windows XP begins to use the new auto-enrolled Version 2 certificates. This is a known issue.
Article ID: 295680 - Last Review: March 6, 2007 - Revision: 4.0