none
ADCS - User certificate RRS feed

  • Question

  • Hi There,

    We need to issue user certificate for our organization users basically for VPN connection. All these while we were issuing computer certificates which was fairly simple to manage with auto-enrollment. I was wondering about possible scenarios;

    1. when users logon multiple devices, and they get user certificate on all devices that they logon to? if so how do you manage the number of certificates issued for the user? or I do not need to bother about that?
    2. What would be the ideal validity period for user certificate? for computers we have set 1 year and 6 weeks renewal period. Is it OK to use user certificate with same validity as well? or with shorter period? can you please share best practices around this if any?
    3. Default user template can perform authentication, EFS and Secure email. Is it good that I prepare the user certificate to archive the pvt key and create recovery agent before issuing the certificate to end users? can I also remove EFS and Secure Email options in the template if I do wish users to use the user certificate to perform file encryption and secure email using that certificate? later I can create and issue new certificate for encryption and secure email?


    Mahi



    • Edited by mahi Blr Saturday, November 9, 2019 8:20 PM
    Friday, November 8, 2019 3:43 PM

Answers

  • Hi,
    According to the test result in my test lab.

    Q1: When 'User' certificate is issued with default settings, that is Client Authentication, EFS and Secure email polices, and user tries to encrypt a file on his machine, does this process automatically uses 'User' certificate to encrypt the data? or does it use self signed certificate by generating one if not already available? 

    A1:

    1. 
    If one user has no Encrypting File System certificate, then when he encrypts one file, it will generate one self signed certificate for this user. 

    2. After step 1, we enroll or auto enroll one Basic EFS certificate for the same user, when we decrypt the same file and encrypt this file, it will use the same self signed certificate.


    Q2: In my test lab I issued BasicEFS certificates for test user via auto-enrollment, but when I try to encrypt a file, its generating self signed certificate and encrypting files with that rather than using BasicEFS certificate. am I missing something here?

    A2:
    I think this file was be encrypted by its self signed certificate before, after that, if we enroll or auto enroll one Basic EFS certificate for the same user, it will use its self signed certificate instead of the Basic EFS certificate we enrolled.

    If we want to the above user to use the Basic EFS certificate we enrolled, we need to change the computer group policy settings as below: 

    Select the specific certificate template and uncheck the option "Allow EFS to generate self-signed certificates when a certification authority is not avaiable".





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 12:02 PM
    Moderator

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    Here are the answers for our questions:


    Q1: When users logon multiple devices, and they get user certificate on all devices that they logon to? if so how do you manage the number of certificates issued for the user? or I do not need to bother about that?

    A1: Yes, when users logon multiple devices, and they get user certificate on all devices that they logon to.

    I think we do not need to bother about that.

    1. We can assign a specific device to specific user.
    2. Or we can set shorter validity for the user certificate.



    Q2: What would be the ideal validity period for user certificate? for computers we have set 1 year and 6 weeks renewal period. Is it OK to use user certificate with same validity as well? or with shorter period? can you please share best practices around this if any?

    A2:  Usually, the validity period of any certificate generated by a Windows CA is the lesser of these three values:

    (1)The remaining lifetime of the root CA server;
    (2)The value specified in the certificate template;
    (3)The value specified in the CA server registry (default is 2 years);
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits

    We can set 1 year and 6 weeks or other validity period we want.



    Q3: Default user template can perform authentication, EFS and Secure email. Is it good that I prepare the user certificate to archive the pvt key and create recovery agent before issuing the certificate to end users? can I also remove EFS and Secure Email options in the template if I do wish users to use the user certificate to perform file encryption and secure email using that certificate? later I can create and issue new certificate for encryption and secure email?

    A3: We can prepare the user certificate to archive the private key and create recovery agent.

    We can prepare the user certificate to archive the private key and create recovery agent if we want, then once user's key is missing, we can recover his/her key with this recovery agent.

    We can remove EFS and Secure Email options in the template if we do NOT wish users to use the user certificate to perform file encryption and secure email using that certificate.

    We can create and issue new certificate for encryption and secure email later if we want.





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 11, 2019 7:12 AM
    Moderator
  • Thanks for your response.

    When 'User' certificate is issued with default settings, that is Client Authentication, EFS and Secure email polices, and user tries to encrypt a file on his machine, does this process automatically uses 'User' certificate to encrypt the data? or does it use self signed certificate by generating one if not already available?

    In my test lab I issued BasicEFS certificates for test user via auto-enrollment, but when I try to encrypt a file, its generating self signed certificate and encrypting files with that rather than using BasicEFS certificate. am I missing something here?



    Mahi

    Tuesday, November 12, 2019 1:08 PM
  • Can you verify if the user certificate has been imported or enrolled / auto-enrolled in correct folder.

    It should be under personal certificate in Users context

    https://blogs.technet.microsoft.com/sbs/2010/03/09/help-secure-your-business-information-using-encrypting-file-system/


    Best Regards
    Jatin Makhija
    If my suggestion helps to resolve the issue, Please Click "Mark as Answer"

    Tuesday, November 12, 2019 2:03 PM
  • It is enrolled.

    Mahi

    Tuesday, November 12, 2019 8:05 PM
  • Hi,
    According to the test result in my test lab.

    Q1: When 'User' certificate is issued with default settings, that is Client Authentication, EFS and Secure email polices, and user tries to encrypt a file on his machine, does this process automatically uses 'User' certificate to encrypt the data? or does it use self signed certificate by generating one if not already available? 

    A1:

    1. 
    If one user has no Encrypting File System certificate, then when he encrypts one file, it will generate one self signed certificate for this user. 

    2. After step 1, we enroll or auto enroll one Basic EFS certificate for the same user, when we decrypt the same file and encrypt this file, it will use the same self signed certificate.


    Q2: In my test lab I issued BasicEFS certificates for test user via auto-enrollment, but when I try to encrypt a file, its generating self signed certificate and encrypting files with that rather than using BasicEFS certificate. am I missing something here?

    A2:
    I think this file was be encrypted by its self signed certificate before, after that, if we enroll or auto enroll one Basic EFS certificate for the same user, it will use its self signed certificate instead of the Basic EFS certificate we enrolled.

    If we want to the above user to use the Basic EFS certificate we enrolled, we need to change the computer group policy settings as below: 

    Select the specific certificate template and uncheck the option "Allow EFS to generate self-signed certificates when a certification authority is not avaiable".





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 12:02 PM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 15, 2019 3:24 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 

    Again thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 1:26 AM
    Moderator
  • Thanks Daisy for the answer. I have it working now. In addition to above config we need to change the algorithm type in the template from RSA to ECDSA’ so that we have usable template. Otherwise with RSA, although template is issued with EFS, it does not do anything.

    Mahi

    Tuesday, November 19, 2019 4:09 AM
  • Hi,
    Thank you for your update, sharing and marking my reply as answer. I’m very glad that the information is helpful and the problem has been solved. 

    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!



    Best Regards,
    Daisy Zhou




    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 6, 2019 4:35 AM
    Moderator