I tried to back up the efs certificate using the Certificate Export Wizard. I chose to export the private key and when prompted to protect the .pfx file the window caption displayed the message "To maintain security, you must protect the private key to
a security principal or by using a password.".
I had two options to protect the .pfx file, the first option had the caption "Group or user names (recommended)" with "Add" and "Remove" buttons and the second option was the classic password protection. However the first option was greyed. Can anyone tell
me how to enable the first option and how to use it?
I found myself the answer to my own question. At
http://msdn.microsoft.com/en-us/library/windows/desktop/aa387313(v=vs.85).aspx it is stated that, if the parameter dwFlags of the PFXExportCertStoreEx function contains PKCS12_PROTECT_TO_DOMAIN_SIDS, you can set the pvPara parameter of the same function to
point to an NCRYPT_DESCRIPTOR_HANDLE value to identify which Active Directory principal the PFX password will be protected to inside of the PFX BLOB. So the reason why I was not able to use this functionality is that the machine was not part of an Active Directory.
To further explain this functionality I past the explanation found on the same above link:
“Beginning with Windows 8 and Windows Server 2012, you can protect the PFX password to an Active Directory user, computer, or group. If you choose to do so but do not create a password, a temporary password will be randomly selected. The password is encrypted
by using the Active Directory principal and then embedded in the PFX BLOB. For more information, see the pvPara parameter and the PKCS12_PROTECT_TO_DOMAIN_SIDS flag.”
Marked as answer byEvolve_or_DieSaturday, August 04, 2012 11:03 PM
Saturday, August 04, 2012 11:02 PM
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.