Using the Cipher.exe utility to migrate self-signed certificates to certification authority-issued certificates

This article describes the process of using the Cipher.exe command-line utility to facilitate the migration of users from their existing self-signed certificates to certification authority (CA)-issued certificates.

Encrypting File System (EFS) uses digital certificates to enable the encryption and the recovery of user files. In the absence of a certification authority (CA) that is capable of issuing file encryption certificates, the EFS service generates a new certificate and digitally signs it with the private key of the user. This certificate is known as a self-signed certificate.

Self-signed certificates enable users to utilize EFS in the absence of a public key infrastructure (PKI) or Active Directory. However, these certificates cannot be centrally managed by administrators. When a CA has been deployed, the management of user certificates in the enterprise becomes much easier, but administrators are then faced with the problem of migrating users from their existing self-signed certificates to CA-issued certificates.

Cipher.exe is a command-line utility that is available in Microsoft Windows 2000 and in Microsoft Windows XP Professional x64 Edition with Service Pack 2. With this utility, users can request new CA-issued file encryption certificates to replace their existing self-signed file encryption certificates.

The cipher /k command can cause Windows 2000 and Windows XP Professional x64 Edition with Service Pack 2 to archive the existing self-signed certificate and request a new one from a CA. Any files that have been encrypted with the earlier public key can still be decrypted, and when they are subsequently saved, they can be encrypted with the new public key.

The Cipher utility can be called in a logon script to automatically and invisibly migrate users. This utility only works locally; it cannot request new certificates for files that have been encrypted on remote servers.

The cipher /k command does not adjust the registry subkey that controls what certificate is used for file encryption. To use the newly requested certificate that was created through cipher /k, the following registry subkey has to have the fingerprint of the certification authority-issued certificate. Otherwise, EFS continues to encrypt files with the self-signed certificate. Copy the thumbprint out of the certification authority-issued certificate, and then paste it into the registry subkey. To do this, follow these steps:

1. Click Start, click Run, type certmgr.msc in the Open box, and then click OK.
2. Locate the certification authority (CA)-issued certificate.
3. Double-click the certificate, click the Details tab, click Thumbprint, and then copy the thumbprint data that appears in the box that is below the thumbprint.
   
   Note This step is valid only for Windows 2000. For Windows XP Professional x64 Edition with Service Pack 2, you have to manually type the thumbprint into the registry.
4. Open Registry Editor, and then locate the registry subkey that was mentioned earlier.
5. In the right pane, click CertificateHash, click Edit, and then click Modify.
6. Paste the thumbprint data that you copied in step 3 into the Value data box, and then click OK.
7. Close Registry Editor.

Note If the certification authority is not available or is not configured to issue file encryption certificates, the cipher /k command will cause the local EFS service to issue a self-signed certificate to the user.

Cipher /k should replace the self-signed certificate. Cipher /k it tries to enroll for a Basic EFS certificate from an appropriately configured CA. If that process is unsuccessful, a new self-signed certificate is issued. If a Basic EFS certificate is issued, you can then auto-enroll for a new Version 2 certificate. If the template is configured correctly, the new Version 2 certificate supersedes any existing Basic EFS certificate and archives it in the user's personal store. However, on Windows XP, EFS continues to use the Basic EFS certificate and key for all encryption operations and decryption operations until this certificate expires. After this certificate expires, Windows XP begins to use the new auto-enrolled Version 2 certificates. This is a known issue.