|
Posted by =?Utf-8?B?anVzdG1hcms=?= on April 30, 2008, 1:45 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> A couple of things here. First of all, have you checked to see if any EFS
> certificates have actually been issued in the first place? Just because you
> have or had a CA up and running, that does not mean that it has issued any
> EFS certificates.
Hi Paul!
Well, my CA snapin tells me that I've issued several Basic EFS (EFS)
certificates to some of my users. They're assuring me that they have no
encrypted files anymore. I also have several Domain Controller certificates.
> Secondly if you have issued EFS certificates are they based on the default
> version 1 Basic EFS certificate template? If so then you really don't need
> to worry about the CA being available as you won't have the private key of
> any issued certificates archived.
I think what you're asking is what I'm seeing - Basic EFS (EFS) is the type
issued in my Issued Certificates. I created a test folder on my PC and
encrypted the contents and it generated another of these for me. Admittedly,
I don't know much about this - the reason I'm asking such questions - the
whole process concerns me because two years ago (before my time so I don't
know the details) one of our users had encrypted files and something happened
and she was never again able to access them. When I remove the CA and
decommission this server, I don't want that to happen to me :-(
>
> Thirdly you need to understand how revocation works with EFS. The only time
> that EFS will check for certificate revocation is when one is trying to
> share an EFS encrypted file with another user. EFS will check to see
> whether or not that user's certificate has been revoked. If it has been you
> won't be able to share the encrypted file with that user. If you revoked
> your EFS certificate you will be able to use it to encrypt new content as
> long as it is still time valid and you'll be able to use it to decrypt
> existing content forever.
>
> You seem to be under the impression that their is a close tie-in with a CA
> and EFS and there really is not.
You're right - I'm worried about this whole process and not sure how it ties
together. I need to get rid of the server hosting CA and need to clean up
anything in AD related to this CA's existence. If I just go in and uninstall
the CA and do a cleanup, I want to be sure that I won't cause a problem.
From what I hear, you don't think I'll have any issues?
Thanks,
Mark
| 
XML site map