This article describes how Microsoft Windows 2000 supports third-party Certification Authorities (CAs) that issue Encrypting File System (EFS) certificates and EFS Recovery Agent certificates.
Overview
The rules for forming the certificate are:
- Key Usage = Key Encipherment
- EKU = File Recovery(1.3.6.1.4.1.311.10.3.4.1)
As stated in the "EFS Certificate" section, the third-party CA may provide Microsoft clients with Web enrollment pages to enroll for the certificates, or the third-party CA may export the certificate and the associated private key into a file that can be imported into a Microsoft client.
After it is created, the certificate can be imported by using the Recovery Agent Wizard.
During file recovery, both the file recovery certificate and the private key must be imported into the system that is used to recover the files according to the following guidelines:
- Keys must be stored in the Microsoft RSABase CSP.
- The Key Info property on the certificate must point to this key in the RSABase CSP. The provider name should be "Microsoft Base Cryptographic Provider v1.0."
You can use
Certificate Import in the Certificate MMC snap-in to import the certificate and private key.
IMPORTANT: The rules that are outlined in this article were validated by Microsoft by configuring a leading, third-party certification authority product to issue EFS and EFS Recovery Agent certificates. The EFS test team tested encryption and recovery by using these certificates.