Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows VistaWindows XPWindows MeWindows 98Windows 95Virtual PCInternet ExplorerOutlook ExpressWindows MediaSecurity
Related Topics
MS Server ProductsMS OfficePC HardwareMore Topics ...
Windows Forum / Windows XP / Security and Administration / March 2005

Tip: Looking for answers? Try searching our database.

Certificate template for EFS

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Milan Ojstersek - 30 Mar 2005 18:29 GMT
Hi!

EFS and MS Win2K3 CA and PKI are established in network.
EFS on WinXP can get certificate (Basic EFS certificate template) on demand
where there is EFS encryption required (user changes encryption properties
for folder).
But EFS cannot get certificate from MS CA if certificate template is other
than Basic EFS. If Basic EFS certificate template don't allow for enrollment
(based on user permissions or is not published on CA) then EFS issue
self-issued EFS certificate which is not what we want. And the same
functionality we get is if we have other certificate template with EFS EKU.
Of course this other certificate template is just copy of Basic EFS but it
cannont be issued on demand like Basic EFS.

Why just Basic EFS certificate template?
What is the right solution?

Your help will be very appreciated.

Regards
Milan Ojstersek
Reply to this Message
Anand Abhyankar [MS] - 31 Mar 2005 03:28 GMT
Check:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/secu
rity/autoenro.mspx

EFS and Autoenrollment
EFS always attempts to enroll for the Basic EFS template by default. The EFS
component driver generates an autoenrollment request that autoenrollment
tries to fulfill. For customers who want to ensure that a specific template
is used for EFS (such as to include key archival), the new template should
supersede the Basic EFS template. The Basic EFS template should also be
removed from any Enterprise CA. This will ensure that autoenrollment will
not attempt enrollment for the Basic EFS template any more. For customers
who wish to replace the Basic EFS template with a certificate and key that
is archived through the Windows Server 2003, Enterprise Edition CA, the
proper procedure is to supersede the Basic EFS template with a new version 2
certificate template.

Signature

Thanks,
Anand Abhyankar [MS]

----
This posting is provided "AS IS" with no warranties, and confers no rights.

> Hi!
>
[quoted text clipped - 20 lines]
> Regards
> Milan Ojstersek
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.