Using Enterprise Certification Authorities to Issue Certificates in C#.NET

Encoding QR Code ISO/IEC18004 in C#.NET Using Enterprise Certification Authorities to Issue Certificates

Domain environments can be configured so that EFS works just as it does in a stand-alone environment, creating self-signed certificates for users. Enterprise CAs can also be configured in the domain to create certificates for users. Certificates that are issued by enterprise certification authorities (CA) are based on certificate templates. Certificate templates are stored in

Part III:

Active Directory and define the attributes of certificate types to be issued to users and computers. The following three version 1 certificate templates support EFS user operations by default:

Administrator and user certificates have a number of uses in addition to EFS. A basic EFS certificate can be used for EFS operations only. Enterprise CAs use Access Control Lists (ACLs) for certificate templates in Active Directory to determine whether to approve certificate requests. If a user has the Enroll permission for a certificate template, the CA will issue a certificate of the type defined by the template to the user. By default, members of the Domain Admins and Domain Users security groups have Enroll permission for basic EFS certificates and user certificates. By default, members of the Domain Admins and Enterprise Admins security groups have Enroll permission for administrator certificates. Users can obtain an EFS certificate from an Enterprise CA by using one of these methods:

On-demand enrollment using an Enterprise CA and properly configured certificate templates Manual enrollment by the end-user

Using an Enterprise CA ensures that users can easily and seamlessly obtain EFS certificates. This is also the lowest-cost option for certificate deployment. Certificates can be requested from a CA by using the Certificates snap-in. To request a certificate from a CA 1. Open the Certificates snap-in, expand Personal folder, right-click Certificates, and then select All Tasks and Request New Certificate. The Request New Certificate Wizard starts. 2. On the Certificate Types page, select Basic EFS, and click Next. 3. Enter a Friendly name and a Description, and click Next. 4. Click Finish to close the Request New Certificate Wizard. Open the Certificates folder to see the new certificate. In Figure18-6, the administrator has a self-signed recovery certificate that EFS generated for the default EFS recovery policy. You can tell that the File Recovery certificate is self-signed because Issued To is the same as Issued By. Below it is the EFS certificate that was just requested. The EFS certificate was issued by a certification authority named CA1.

18:

Figure 18-6

EFS automatically renews certificates if possible. Self-signed certificates are valid for 100 years, so renewal is not an issue if you use these certificates. Certificates issued by certification authorities are typically valid for only a few years. You can view a certificate s expiration date in the Certificates snap-in. If EFS is unable to automatically renew an expired certificate, you are unable to encrypt more files by using the existing certificate. You can still decrypt files, however, because EFS stores existing private keys. If EFS cannot renew the certificate, it requests a new certificate from a trusted enterprise CA if one is known and available. Otherwise, EFS creates a new self-signed certificate. If for any reason you want to generate a new self-signed certificate for a user, you can use the cipher command. To generate a new certificate by using the cipher command

At the command line, type:

The output is the identifier that links the new private and public keys. You can view this identifier in the EFS certificate in the Certificates snap-in. The following is an example of output from the cipher command.

X:\>cipher /k Your new file encryption certificate thumbnail information on the PC named WK-01 is: AEE8 15AD 68EE B640 9CD7 C25F 4E98 4CBC C2D9 7378