Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Forcing EFS to request certificates other than the Basic EFS template

378 views
Skip to first unread message

David Chadwick

unread,
Jan 1, 2006, 1:15:06 PM1/1/06
to
Hi,

I am running an Enterprise CA on Windows 2003 Enterprise Edition. My goal
is to have users only ever get a certificate based on a User V2 template
that I have created. I specifically do not want them to get any Basic EFS
certificates. The User V2 certificate template I created is capable of EFS
and Client Authentication. I also want to archive the private keys of these
certificates.

I have duplicated the User V1 certificate template (so that it is now a V2
template) and turned on archiving. I also added both the Basic EFS and User
V1 certificate templates to the "Superseded Templates" section. I was under
the impression that this would mean when a Basic EFS certificate was
requested one of my new User V2 certificates would be sent instead. This
doesn't seem to be happening.

If I leave Basic EFS as a template that the CA is allowed to issue, when a
user first encrypts a file they receive a certificate based on the Basic EFS
template. If I remove the option of the CA handing out Basic EFS
certificates then the EFS system generates a self-signed certificate when
the user first encrypts something.

Is there any way for me to get the CA to hand out one of my new User V2
certificates when a Basic EFS certificate is requested? I assumed that the
"Superseded Templates" option would achieve what I wanted, but that doesn't
seem to be the case. Is this normal? If so, what does "Superseded
Templates" do exactly?

My goal is to always issue an archived User V2 certificate whenever a user
first uses EFS. I'd like to avoid the system generating a self signed
certificate for EFS and also avoid ever handing out a Basic EFS certificate.
Is this possible?

Thanks for any ideas.

Cheers,
David


David Chadwick

unread,
Jan 2, 2006, 10:32:48 AM1/2/06
to
Hi,

I thought I would add some more information about this issue. This MS
article:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

...contains the following paragraph:

"EFS and Autoenrollment
EFS always attempts to enroll for the Basic EFS template by default. The EFS
component driver generates an autoenrollment request that autoenrollment
tries to fulfill. For customers who want to ensure that a specific template
is used for EFS (such as to include key archival), the new template should
supersede the Basic EFS template. The Basic EFS template should also be
removed from any Enterprise CA. This will ensure that autoenrollment will
not attempt enrollment for the Basic EFS template any more. For customers
who wish to replace the Basic EFS template with a certificate and key that
is archived through the Windows Server 2003, Enterprise Edition CA, the
proper procedure is to supersede the Basic EFS template with a new version 2
certificate template."

The proceeding paragraph implies that by creating a V2 template (a duplicate
of "Basic EFS") and superseding the old "Basic EFS" template that the CA
will issue the new template to EFS instead. However, in my experience this
is not the case. If you remove the "Basic EFS" template from the CA (as
suggested above) then EFS starts using self signed certificates (just like
when you don't have an Enterprise CA). EFS is NOT issued with the new V2
certificate that supersedes the "Basic EFS" template.

Can anybody state that they have successfully enabled a CA to hand out
certificates other than a "Basic EFS" template to the EFS service? If it
can't be done then the paragraph I quoted is very misleading. The sentence
"For customers who want to ensure that a specific template is used for EFS
(such as to include key archival)" very much sounds like it can be done.
The fact that they mention the "Basic EFS" template is used by "default"
sounds like you can change this default. They've even gone as far as to say
you should remove the "Basic EFS" template from all your Enterprise CA's.
As soon as you do this EFS starts using self signed certificates, which
isn't good!

Given that using "Superseded Templates" does not appear to work in this
situation, what exactly is it meant to do?

It would be great to hear from anyone who has tried this with success or
otherwise.

Cheers,
David


"David Chadwick" <da...@opticsenses.com> wrote in message
news:%23vEdM9v...@TK2MSFTNGP14.phx.gbl...

Brian Komar [MVP]

unread,
Jan 14, 2006, 11:08:01 AM1/14/06
to
Answers inline...

In article <#vEdM9vD...@TK2MSFTNGP14.phx.gbl>,
da...@opticsenses.com says...


> Hi,
>
> I am running an Enterprise CA on Windows 2003 Enterprise Edition. My goal
> is to have users only ever get a certificate based on a User V2 template
> that I have created. I specifically do not want them to get any Basic EFS
> certificates. The User V2 certificate template I created is capable of EFS
> and Client Authentication. I also want to archive the private keys of these
> certificates.
>

Why not just do ESF authentication. You are combining an authentication
cert with an encryption cert (and archiving the private key). This means
that the person recovering the private key can impersonate you, as they
now have *your* client auth cert...

> I have duplicated the User V1 certificate template (so that it is now a V2
> template) and turned on archiving. I also added both the Basic EFS and User
> V1 certificate templates to the "Superseded Templates" section. I was under
> the impression that this would mean when a Basic EFS certificate was
> requested one of my new User V2 certificates would be sent instead. This
> doesn't seem to be happening.

That is correct. EFS is hard coded to look for a Basic EFS certificate.
It will go and grab the certificate when encryption is enabled if a
certificate with the EFS OID does not exist in the user's store.


>
> If I leave Basic EFS as a template that the CA is allowed to issue, when a
> user first encrypts a file they receive a certificate based on the Basic EFS
> template. If I remove the option of the CA handing out Basic EFS
> certificates then the EFS system generates a self-signed certificate when
> the user first encrypts something.

You are missing the key point of the design. You need to enable
autoenrollment for your custom EFS certificate (minus the client auth),
and get those to the users before they start encryption. EFS will then
use the existing cert.


>
> Is there any way for me to get the CA to hand out one of my new User V2
> certificates when a Basic EFS certificate is requested? I assumed that the
> "Superseded Templates" option would achieve what I wanted, but that doesn't
> seem to be the case. Is this normal? If so, what does "Superseded
> Templates" do exactly?

You need to distribute beforehand. The superseded templates requires
that autoenrollment be enabled (which it is not). And EFS is a special
case, in that with no certs distributed prior, ESF will get the basic
efs cert and use it immediately.


>
> My goal is to always issue an archived User V2 certificate whenever a user
> first uses EFS. I'd like to avoid the system generating a self signed
> certificate for EFS and also avoid ever handing out a Basic EFS certificate.
> Is this possible?

See the autoenrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

0 new messages