Self-signed certificates enable users to utilize EFS in the absence of a public key infrastructure (PKI) or Active Directory. However, these certificates cannot be centrally managed by administrators. When a CA has been deployed, the management of user certificates in the enterprise becomes much easier, but administrators are then faced with the problem of migrating users from their existing self-signed certificates to CA-issued certificates.
Cipher.exe is a command-line utility that is available in Microsoft Windows 2000 and in Microsoft Windows XP Professional x64 Edition with Service Pack 2. With this utility, users can request new CA-issued file encryption certificates to replace their existing self-signed file encryption certificates.
The cipher /k command can cause Windows 2000 and Windows XP Professional x64 Edition with Service Pack 2 to archive the existing self-signed certificate and request a new one from a CA. Any files that have been encrypted with the earlier public key can still be decrypted, and when they are subsequently saved, they can be encrypted with the new public key.
The Cipher utility can be called in a logon script to automatically and invisibly migrate users. This utility only works locally; it cannot request new certificates for files that have been encrypted on remote servers.
The cipher /k command does not adjust the registry subkey that controls what certificate is used for file encryption. To use the newly requested certificate that was created through cipher /k, the following registry subkey has to have the fingerprint of the certification authority-issued certificate. Otherwise, EFS continues to encrypt files with the self-signed certificate.
- Click Start, click Run, type certmgr.msc in the Open box, and then click OK.
- Locate the certification authority (CA)-issued certificate.
- Double-click the certificate, click the
Details tab, click Thumbprint, and then copy the thumbprint data that appears in the box that is below the thumbprint.
Note This step is valid only for Windows 2000. For Windows XP Professional x64 Edition with Service Pack 2, you have to manually type the thumbprint into the registry.
- Open Registry Editor, and then locate the registry subkey that was mentioned earlier.
- In the right pane, click CertificateHash, click Edit, and then click Modify.
- Paste the thumbprint data that you copied in step 3 into the
Value data box, and then click OK.
- Close Registry Editor.
Cipher /k should replace the self-signed certificate. Cipher /k it tries to enroll for a Basic EFS certificate from an appropriately configured CA. If that process is unsuccessful, a new self-signed certificate is issued. If a Basic EFS certificate is issued, you can then auto-enroll for a new Version 2 certificate. If the template is configured correctly, the new Version 2 certificate supersedes any existing Basic EFS certificate and archives it in the user's personal store. However, on Windows XP, EFS continues to use the Basic EFS certificate and key for all encryption operations and decryption operations until this certificate expires. After this certificate expires, Windows XP begins to use the new auto-enrolled Version 2 certificates. This is a known issue.
Article ID: 295680 - Last Review: Mar 6, 2007 - Revision: 1