If you are using the default recovery policy in a domain, requesting recovery certificates isn't necessary because the required certificates are already in place in the Domain Administrator's certificate store. If you are instead delegating recovery responsibility to a specific group of users or to individual accounts, you may want to use a Certificate Authority (CA) to generate recovery certificates when requested by recovery agents.
Note You don't specifically need to use a CA to distribute recovery certificates. You can simply export the default domain-recovery certificate from the Domain Administrator's certificate store and then give the certificate to individual users designated as recovery agents for import on their computers. Using multiple certificates, however, can increase security by not putting all your recovery eggs in one basket. Instead, you can rely on the CA to issue a unique recovery certificate to each recovery agent.
Because this chapter focuses on file systems, it does not cover how to set up a CA. Instead, the following steps explain the general procedure for providing a means for recovery agents to request recovery certificates:
See Blair Rampling's Windows Server 2003 Security Bible (Wiley, 2003) for details on how to set up a CA.
1. If no CA is currently installed, log on to a domain controller and run the Add/Remove Programs object in the Control Panel. Install Certificate Services.
2. Create a group called Domain Recovery Agents in the domain and add the appropriate users to the group. Configure policies on the CA to enable the designated users or group to request recovery certificates from the CA. To do so, open the Certificate Authority console, right-click the server, and choose Properties. Click the Security tab, and grant Enroll and Read permission as needed.
3. Have each recovery agent request a recovery certificate from the CA. To start this process, the agents open the Certificates MMC console, right-click their Personal store, and choose All Tasks O Request New Certificate from the pop-up menu to start the Certificate Request Wizard.
4. The wizard automatically locates a CA in the domain, but the agent can choose a specific CA if needed. Through the wizard, the agent specifies that she wants to obtain an EFS Recovery Agent certificate and follows the wizard's prompts to obtain it.
5. If the certificate is not automatically published to the AD, the agent needs to copy the certificate without the private key to a CER file. The domain administrator then uses this file to add the certificate to the domain recovery policy. Use the Certificates console to copy the certificate to the CER file (that is, to export the certificate to the file).
6. The agent exports the certificate to a secure PFX file by using the Certificates console and places the PFX in a secure archive. Then the agent deletes the certificate from the local computer, again through the Certificates console. This ensures that the certificate is applied through the domain policy, rather than through the local policy.
Was this article helpful?